API Overview API Index Package Overview Direct link to this page
JDK 1.6
  java.security.cert. PKIXCertPathChecker View Javadoc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

/*
 * @(#)PKIXCertPathChecker.java	1.8 05/11/17
 *
 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.security.cert;

import java.util.Collection;
import java.util.Set;

/**
 * An abstract class that performs one or more checks on an 
 * <code>X509Certificate</code>. 
 * 
 * <p>A concrete implementation of the <code>PKIXCertPathChecker</code> class 
 * can be created to extend the PKIX certification path validation algorithm.
 * For example, an implementation may check for and process a critical private
 * extension of each certificate in a certification path.
 *
 * <p>Instances of <code>PKIXCertPathChecker</code> are passed as parameters
 * using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers}
 * or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods 
 * of the <code>PKIXParameters</code> and <code>PKIXBuilderParameters</code>
 * class. Each of the <code>PKIXCertPathChecker</code>s {@link #check check}
 * methods will be called, in turn, for each certificate processed by a PKIX 
 * <code>CertPathValidator</code> or <code>CertPathBuilder</code> 
 * implementation.
 * 
 * <p>A <code>PKIXCertPathChecker</code> may be called multiple times on 
 * successive certificates in a certification path. Concrete subclasses
 * are expected to maintain any internal state that may be necessary to 
 * check successive certificates. The {@link #init init} method is used 
 * to initialize the internal state of the checker so that the certificates 
 * of a new certification path may be checked. A stateful implementation
 * <b>must</b> override the {@link #clone clone} method if necessary in 
 * order to allow a PKIX <code>CertPathBuilder</code> to efficiently 
 * backtrack and try other paths. In these situations, the 
 * <code>CertPathBuilder</code> is able to restore prior path validation 
 * states by restoring the cloned <code>PKIXCertPathChecker</code>s.
 *
 * <p>The order in which the certificates are presented to the 
 * <code>PKIXCertPathChecker</code> may be either in the forward direction 
 * (from target to most-trusted CA) or in the reverse direction (from 
 * most-trusted CA to target). A <code>PKIXCertPathChecker</code> implementation
 * <b>must</b> support reverse checking (the ability to perform its checks when
 * it is presented with certificates in the reverse direction) and <b>may</b> 
 * support forward checking (the ability to perform its checks when it is 
 * presented with certificates in the forward direction). The 
 * {@link #isForwardCheckingSupported isForwardCheckingSupported} method 
 * indicates whether forward checking is supported.
 * <p>
 * Additional input parameters required for executing the check may be 
 * specified through constructors of concrete implementations of this class.
 * <p>
 * <b>Concurrent Access</b>
 * <p>
 * Unless otherwise specified, the methods defined in this class are not
 * thread-safe. Multiple threads that need to access a single
 * object concurrently should synchronize amongst themselves and
 * provide the necessary locking. Multiple threads each manipulating
 * separate objects need not synchronize.
 *
 * @see PKIXParameters 
 * @see PKIXBuilderParameters
 *
 * @version 	1.8 11/17/05
 * @since	1.4
 * @author	Yassir Elley
 * @author	Sean Mullan
 */
public abstract class PKIXCertPathChecker implements Cloneable {

    /**
     * Default constructor.
     */
    protected PKIXCertPathChecker() {}

    /**
     * Initializes the internal state of this <code>PKIXCertPathChecker</code>.
     * <p> 
     * The <code>forward</code> flag specifies the order that
     * certificates will be passed to the {@link #check check} method
     * (forward or reverse). A <code>PKIXCertPathChecker</code> <b>must</b> 
     * support reverse checking and <b>may</b> support forward checking. 
     *
     * @param forward the order that certificates are presented to
     * the <code>check</code> method. If <code>true</code>, certificates 
     * are presented from target to most-trusted CA (forward); if 
     * <code>false</code>, from most-trusted CA to target (reverse).
     * @throws CertPathValidatorException if this 
     * <code>PKIXCertPathChecker</code> is unable to check certificates in 
     * the specified order; it should never be thrown if the forward flag 
     * is false since reverse checking must be supported
     */
    public abstract void init(boolean forward) 
	throws CertPathValidatorException;

    /**
     * Indicates if forward checking is supported. Forward checking refers
     * to the ability of the <code>PKIXCertPathChecker</code> to perform 
     * its checks when certificates are presented to the <code>check</code>
     * method in the forward direction (from target to most-trusted CA).
     *
     * @return <code>true</code> if forward checking is supported, 
     * <code>false</code> otherwise
     */
    public abstract boolean isForwardCheckingSupported();

    /**
     * Returns an immutable <code>Set</code> of X.509 certificate extensions 
     * that this <code>PKIXCertPathChecker</code> supports (i.e. recognizes, is 
     * able to process), or <code>null</code> if no extensions are supported. 
     * <p>
     * Each element of the set is a <code>String</code> representing the
     * Object Identifier (OID) of the X.509 extension that is supported.
     * The OID is represented by a set of nonnegative integers separated by
     * periods.
     * <p>
     * All X.509 certificate extensions that a <code>PKIXCertPathChecker</code>
     * might possibly be able to process should be included in the set.
     *
     * @return an immutable <code>Set</code> of X.509 extension OIDs (in
     * <code>String</code> format) supported by this 
     * <code>PKIXCertPathChecker</code>, or <code>null</code> if no 
     * extensions are supported
     */
    public abstract Set<String> getSupportedExtensions();

    /**
     * Performs the check(s) on the specified certificate using its internal 
     * state and removes any critical extensions that it processes from the 
     * specified collection of OID strings that represent the unresolved 
     * critical extensions. The certificates are presented in the order 
     * specified by the <code>init</code> method.
     *
     * @param cert the <code>Certificate</code> to be checked
     * @param unresolvedCritExts a <code>Collection</code> of OID strings 
     * representing the current set of unresolved critical extensions
     * @exception CertPathValidatorException if the specified certificate does 
     * not pass the check
     */
    public abstract void check(Certificate cert, 
	    Collection<String> unresolvedCritExts) 
	    throws CertPathValidatorException;

    /**
     * Returns a clone of this object. Calls the <code>Object.clone()</code>
     * method.
     * All subclasses which maintain state must support and
     * override this method, if necessary.
     * 
     * @return a copy of this <code>PKIXCertPathChecker</code>
     */
    public Object clone() {
	try {
	    return super.clone();
	} catch (CloneNotSupportedException e) {
	    /* Cannot happen */
	    throw new InternalError(e.toString());
	}
    }
}

Generated By: JavaOnTracks Doclet 0.1.4     ©Thibaut Colar