1
package java.security.cert;
3
import java.util.Collection;
7
* An abstract class that performs one or more checks on an
8
* <code>X509Certificate</code>. <br />
10
* A concrete implementation of the <code>PKIXCertPathChecker</code> class
11
* can be created to extend the PKIX certification path validation algorithm.
12
* For example, an implementation may check for and process a critical private
13
* extension of each certificate in a certification path.<br />
15
* Instances of <code>PKIXCertPathChecker</code> are passed as parameters
16
* using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers}
17
* or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods
18
* of the <code>PKIXParameters</code> and <code>PKIXBuilderParameters</code>
19
* class. Each of the <code>PKIXCertPathChecker</code>s {@link #check check}
20
* methods will be called, in turn, for each certificate processed by a PKIX
21
* <code>CertPathValidator</code> or <code>CertPathBuilder</code>
22
* implementation.<br />
24
* A <code>PKIXCertPathChecker</code> may be called multiple times on
25
* successive certificates in a certification path. Concrete subclasses
26
* are expected to maintain any internal state that may be necessary to
27
* check successive certificates. The {@link #init init} method is used
28
* to initialize the internal state of the checker so that the certificates
29
* of a new certification path may be checked. A stateful implementation
30
* <b>must</b> override the {@link #clone clone} method if necessary in
31
* order to allow a PKIX <code>CertPathBuilder</code> to efficiently
32
* backtrack and try other paths. In these situations, the
33
* <code>CertPathBuilder</code> is able to restore prior path validation
34
* states by restoring the cloned <code>PKIXCertPathChecker</code>s.<br />
36
* The order in which the certificates are presented to the
37
* <code>PKIXCertPathChecker</code> may be either in the forward direction
38
* (from target to most-trusted CA) or in the reverse direction (from
39
* most-trusted CA to target). A <code>PKIXCertPathChecker</code> implementation
40
* <b>must</b> support reverse checking (the ability to perform its checks when
41
* it is presented with certificates in the reverse direction) and <b>may</b>
42
* support forward checking (the ability to perform its checks when it is
43
* presented with certificates in the forward direction). The
44
* {@link #isForwardCheckingSupported isForwardCheckingSupported} method
45
* indicates whether forward checking is supported.<br />
47
* Additional input parameters required for executing the check may be
48
* specified through constructors of concrete implementations of this class.<br />
50
* <b>Concurrent Access</b><br />
52
* Unless otherwise specified, the methods defined in this class are not
53
* thread-safe. Multiple threads that need to access a single
54
* object concurrently should synchronize amongst themselves and
55
* provide the necessary locking. Multiple threads each manipulating
56
* separate objects need not synchronize.
59
* @see PKIXBuilderParameters
61
public abstract class PKIXCertPathChecker implements Cloneable
65
* Default constructor.
67
protected PKIXCertPathChecker() {}
70
* Initializes the internal state of this <code>PKIXCertPathChecker</code>.
72
* The <code>forward</code> flag specifies the order that
73
* certificates will be passed to the {@link #check check} method
74
* (forward or reverse). A <code>PKIXCertPathChecker</code> <b>must</b>
75
* support reverse checking and <b>may</b> support forward checking.
77
* @param forward the order that certificates are presented to
78
* the <code>check</code> method. If <code>true</code>, certificates
79
* are presented from target to most-trusted CA (forward); if
80
* <code>false</code>, from most-trusted CA to target (reverse).
81
* @exception CertPathValidatorException if this
82
* <code>PKIXCertPathChecker</code> is unable to check certificates in
83
* the specified order; it should never be thrown if the forward flag
84
* is false since reverse checking must be supported
86
public abstract void init(boolean forward)
87
throws CertPathValidatorException;
90
* Indicates if forward checking is supported. Forward checking refers
91
* to the ability of the <code>PKIXCertPathChecker</code> to perform
92
* its checks when certificates are presented to the <code>check</code>
93
* method in the forward direction (from target to most-trusted CA).
95
* @return <code>true</code> if forward checking is supported,
96
* <code>false</code> otherwise
98
public abstract boolean isForwardCheckingSupported();
101
* Returns an immutable <code>Set</code> of X.509 certificate extensions
102
* that this <code>PKIXCertPathChecker</code> supports (i.e. recognizes, is
103
* able to process), or <code>null</code> if no extensions are supported.
105
* Each element of the set is a <code>String</code> representing the
106
* Object Identifier (OID) of the X.509 extension that is supported.
107
* The OID is represented by a set of nonnegative integers separated by
110
* All X.509 certificate extensions that a <code>PKIXCertPathChecker</code>
111
* might possibly be able to process should be included in the set.
113
* @return an immutable <code>Set</code> of X.509 extension OIDs (in
114
* <code>String</code> format) supported by this
115
* <code>PKIXCertPathChecker</code>, or <code>null</code> if no
116
* extensions are supported
118
public abstract Set getSupportedExtensions();
121
* Performs the check(s) on the specified certificate using its internal
122
* state and removes any critical extensions that it processes from the
123
* specified collection of OID strings that represent the unresolved
124
* critical extensions. The certificates are presented in the order
125
* specified by the <code>init</code> method.
127
* @param cert the <code>Certificate</code> to be checked
128
* @param unresolvedCritExts a <code>Collection</code> of OID strings
129
* representing the current set of unresolved critical extensions
130
* @exception CertPathValidatorException if the specified certificate does
133
public abstract void check(
135
Collection unresolvedCritExts)
136
throws CertPathValidatorException;
139
* Returns a clone of this object. Calls the <code>Object.clone()</code>
141
* All subclasses which maintain state must support and
142
* override this method, if necessary.
144
* @return a copy of this <code>PKIXCertPathChecker</code>
146
public Object clone()
149
return super.clone();
150
} catch ( CloneNotSupportedException ex ) {
152
throw new InternalError( ex.toString() );