| /* |
| * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| package java.security.cert; |
| |
| import java.util.Collection; |
| import java.util.Set; |
| |
| /** |
| * An abstract class that performs one or more checks on an |
| * {@code X509Certificate}. |
| * |
| * <p>A concrete implementation of the {@code PKIXCertPathChecker} class |
| * can be created to extend the PKIX certification path validation algorithm. |
| * For example, an implementation may check for and process a critical private |
| * extension of each certificate in a certification path. |
| * |
| * <p>Instances of {@code PKIXCertPathChecker} are passed as parameters |
| * using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers} |
| * or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods |
| * of the {@code PKIXParameters} and {@code PKIXBuilderParameters} |
| * class. Each of the {@code PKIXCertPathChecker}s {@link #check check} |
| * methods will be called, in turn, for each certificate processed by a PKIX |
| * {@code CertPathValidator} or {@code CertPathBuilder} |
| * implementation. |
| * |
| * <p>A {@code PKIXCertPathChecker} may be called multiple times on |
| * successive certificates in a certification path. Concrete subclasses |
| * are expected to maintain any internal state that may be necessary to |
| * check successive certificates. The {@link #init init} method is used |
| * to initialize the internal state of the checker so that the certificates |
| * of a new certification path may be checked. A stateful implementation |
| * <b>must</b> override the {@link #clone clone} method if necessary in |
| * order to allow a PKIX {@code CertPathBuilder} to efficiently |
| * backtrack and try other paths. In these situations, the |
| * {@code CertPathBuilder} is able to restore prior path validation |
| * states by restoring the cloned {@code PKIXCertPathChecker}s. |
| * |
| * <p>The order in which the certificates are presented to the |
| * {@code PKIXCertPathChecker} may be either in the forward direction |
| * (from target to most-trusted CA) or in the reverse direction (from |
| * most-trusted CA to target). A {@code PKIXCertPathChecker} implementation |
| * <b>must</b> support reverse checking (the ability to perform its checks when |
| * it is presented with certificates in the reverse direction) and <b>may</b> |
| * support forward checking (the ability to perform its checks when it is |
| * presented with certificates in the forward direction). The |
| * {@link #isForwardCheckingSupported isForwardCheckingSupported} method |
| * indicates whether forward checking is supported. |
| * <p> |
| * Additional input parameters required for executing the check may be |
| * specified through constructors of concrete implementations of this class. |
| * <p> |
| * <b>Concurrent Access</b> |
| * <p> |
| * Unless otherwise specified, the methods defined in this class are not |
| * thread-safe. Multiple threads that need to access a single |
| * object concurrently should synchronize amongst themselves and |
| * provide the necessary locking. Multiple threads each manipulating |
| * separate objects need not synchronize. |
| * |
| * @see PKIXParameters |
| * @see PKIXBuilderParameters |
| * |
| * @since 1.4 |
| * @author Yassir Elley |
| * @author Sean Mullan |
| */ |
| public abstract class PKIXCertPathChecker |
| implements CertPathChecker, Cloneable { |
| |
| /** |
| * Default constructor. |
| */ |
| protected PKIXCertPathChecker() {} |
| |
| /** |
| * Initializes the internal state of this {@code PKIXCertPathChecker}. |
| * <p> |
| * The {@code forward} flag specifies the order that |
| * certificates will be passed to the {@link #check check} method |
| * (forward or reverse). A {@code PKIXCertPathChecker} <b>must</b> |
| * support reverse checking and <b>may</b> support forward checking. |
| * |
| * @param forward the order that certificates are presented to |
| * the {@code check} method. If {@code true}, certificates |
| * are presented from target to most-trusted CA (forward); if |
| * {@code false}, from most-trusted CA to target (reverse). |
| * @throws CertPathValidatorException if this |
| * {@code PKIXCertPathChecker} is unable to check certificates in |
| * the specified order; it should never be thrown if the forward flag |
| * is false since reverse checking must be supported |
| */ |
| @Override |
| public abstract void init(boolean forward) |
| throws CertPathValidatorException; |
| |
| /** |
| * Indicates if forward checking is supported. Forward checking refers |
| * to the ability of the {@code PKIXCertPathChecker} to perform |
| * its checks when certificates are presented to the {@code check} |
| * method in the forward direction (from target to most-trusted CA). |
| * |
| * @return {@code true} if forward checking is supported, |
| * {@code false} otherwise |
| */ |
| @Override |
| public abstract boolean isForwardCheckingSupported(); |
| |
| /** |
| * Returns an immutable {@code Set} of X.509 certificate extensions |
| * that this {@code PKIXCertPathChecker} supports (i.e. recognizes, is |
| * able to process), or {@code null} if no extensions are supported. |
| * <p> |
| * Each element of the set is a {@code String} representing the |
| * Object Identifier (OID) of the X.509 extension that is supported. |
| * The OID is represented by a set of nonnegative integers separated by |
| * periods. |
| * <p> |
| * All X.509 certificate extensions that a {@code PKIXCertPathChecker} |
| * might possibly be able to process should be included in the set. |
| * |
| * @return an immutable {@code Set} of X.509 extension OIDs (in |
| * {@code String} format) supported by this |
| * {@code PKIXCertPathChecker}, or {@code null} if no |
| * extensions are supported |
| */ |
| public abstract Set<String> getSupportedExtensions(); |
| |
| /** |
| * Performs the check(s) on the specified certificate using its internal |
| * state and removes any critical extensions that it processes from the |
| * specified collection of OID strings that represent the unresolved |
| * critical extensions. The certificates are presented in the order |
| * specified by the {@code init} method. |
| * |
| * @param cert the {@code Certificate} to be checked |
| * @param unresolvedCritExts a {@code Collection} of OID strings |
| * representing the current set of unresolved critical extensions |
| * @exception CertPathValidatorException if the specified certificate does |
| * not pass the check |
| */ |
| public abstract void check(Certificate cert, |
| Collection<String> unresolvedCritExts) |
| throws CertPathValidatorException; |
| |
| /** |
| * {@inheritDoc} |
| * |
| * <p>This implementation calls |
| * {@code check(cert, java.util.Collections.<String>emptySet())}. |
| */ |
| @Override |
| public void check(Certificate cert) throws CertPathValidatorException { |
| check(cert, java.util.Collections.<String>emptySet()); |
| } |
| |
| /** |
| * Returns a clone of this object. Calls the {@code Object.clone()} |
| * method. |
| * All subclasses which maintain state must support and |
| * override this method, if necessary. |
| * |
| * @return a copy of this {@code PKIXCertPathChecker} |
| */ |
| @Override |
| public Object clone() { |
| try { |
| return super.clone(); |
| } catch (CloneNotSupportedException e) { |
| /* Cannot happen */ |
| throw new InternalError(e.toString(), e); |
| } |
| } |
| } |