/* * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. * * * * * * * * * * * * * * * * * * * * */ package java.security.cert; import java.security.AccessController; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivilegedAction; import java.security.Provider; import java.security.Security; import sun.security.util.Debug; import sun.security.jca.*; import sun.security.jca.GetInstance.Instance; /** * A class for validating certification paths (also known as certificate * chains). *

* This class uses a provider-based architecture. * To create a CertPathValidator, * call one of the static getInstance methods, passing in the * algorithm name of the CertPathValidator desired and * optionally the name of the provider desired. *

* Once a CertPathValidator object has been created, it can * be used to validate certification paths by calling the {@link #validate * validate} method and passing it the CertPath to be validated * and an algorithm-specific set of parameters. If successful, the result is * returned in an object that implements the * CertPathValidatorResult interface. * *

Every implementation of the Java platform is required to support the * following standard CertPathValidator algorithm: *

* This algorithm is described in the * CertPathValidator section of the * Java Cryptography Architecture Standard Algorithm Name Documentation. * Consult the release documentation for your implementation to see if any * other algorithms are supported. * *

* Concurrent Access *

* The static methods of this class are guaranteed to be thread-safe. * Multiple threads may concurrently invoke the static methods defined in * this class with no ill effects. *

* However, this is not true for the non-static methods defined by this class. * Unless otherwise documented by a specific provider, threads that need to * access a single CertPathValidator instance concurrently should * synchronize amongst themselves and provide the necessary locking. Multiple * threads each manipulating a different CertPathValidator * instance need not synchronize. * * @see CertPath * * @since 1.4 * @author Yassir Elley */ public class CertPathValidator { /* * Constant to lookup in the Security properties file to determine * the default certpathvalidator type. In the Security properties file, * the default certpathvalidator type is given as: * 

     * certpathvalidator.type=PKIX
     *
*/ private static final String CPV_TYPE = "certpathvalidator.type"; private static final Debug debug = Debug.getInstance("certpath"); private CertPathValidatorSpi validatorSpi; private Provider provider; private String algorithm; /** * Creates a CertPathValidator object of the given algorithm, * and encapsulates the given provider implementation (SPI object) in it. * * @param validatorSpi the provider implementation * @param provider the provider * @param algorithm the algorithm name */ protected CertPathValidator(CertPathValidatorSpi validatorSpi, Provider provider, String algorithm) { this.validatorSpi = validatorSpi; this.provider = provider; this.algorithm = algorithm; } /** * Returns a CertPathValidator object that implements the * specified algorithm. * *

This method traverses the list of registered security Providers, * starting with the most preferred Provider. * A new CertPathValidator object encapsulating the * CertPathValidatorSpi implementation from the first * Provider that supports the specified algorithm is returned. * *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * * @param algorithm the name of the requested CertPathValidator * algorithm. See the CertPathValidator section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard algorithm names. * * @return a CertPathValidator object that implements the * specified algorithm. * * @exception NoSuchAlgorithmException if no Provider supports a * CertPathValidatorSpi implementation for the * specified algorithm. * * @see java.security.Provider */ public static CertPathValidator getInstance(String algorithm) throws NoSuchAlgorithmException { Instance instance = GetInstance.getInstance("CertPathValidator", CertPathValidatorSpi.class, algorithm); return new CertPathValidator((CertPathValidatorSpi)instance.impl, instance.provider, algorithm); } /** * Returns a CertPathValidator object that implements the * specified algorithm. * *

A new CertPathValidator object encapsulating the * CertPathValidatorSpi implementation from the specified provider * is returned. The specified provider must be registered * in the security provider list. * *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * * @param algorithm the name of the requested CertPathValidator * algorithm. See the CertPathValidator section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard algorithm names. * * @param provider the name of the provider. * * @return a CertPathValidator object that implements the * specified algorithm. * * @exception NoSuchAlgorithmException if a CertPathValidatorSpi * implementation for the specified algorithm is not * available from the specified provider. * * @exception NoSuchProviderException if the specified provider is not * registered in the security provider list. * * @exception IllegalArgumentException if the provider is * null or empty. * * @see java.security.Provider */ public static CertPathValidator getInstance(String algorithm, String provider) throws NoSuchAlgorithmException, NoSuchProviderException { Instance instance = GetInstance.getInstance("CertPathValidator", CertPathValidatorSpi.class, algorithm, provider); return new CertPathValidator((CertPathValidatorSpi)instance.impl, instance.provider, algorithm); } /** * Returns a CertPathValidator object that implements the * specified algorithm. * *

A new CertPathValidator object encapsulating the * CertPathValidatorSpi implementation from the specified Provider * object is returned. Note that the specified Provider object * does not have to be registered in the provider list. * * @param algorithm the name of the requested CertPathValidator * algorithm. See the CertPathValidator section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard algorithm names. * * @param provider the provider. * * @return a CertPathValidator object that implements the * specified algorithm. * * @exception NoSuchAlgorithmException if a CertPathValidatorSpi * implementation for the specified algorithm is not available * from the specified Provider object. * * @exception IllegalArgumentException if the provider is * null. * * @see java.security.Provider */ public static CertPathValidator getInstance(String algorithm, Provider provider) throws NoSuchAlgorithmException { Instance instance = GetInstance.getInstance("CertPathValidator", CertPathValidatorSpi.class, algorithm, provider); return new CertPathValidator((CertPathValidatorSpi)instance.impl, instance.provider, algorithm); } /** * Returns the Provider of this * CertPathValidator. * * @return the Provider of this CertPathValidator */ public final Provider getProvider() { return this.provider; } /** * Returns the algorithm name of this CertPathValidator. * * @return the algorithm name of this CertPathValidator */ public final String getAlgorithm() { return this.algorithm; } /** * Validates the specified certification path using the specified * algorithm parameter set. *

* The CertPath specified must be of a type that is * supported by the validation algorithm, otherwise an * InvalidAlgorithmParameterException will be thrown. For * example, a CertPathValidator that implements the PKIX * algorithm validates CertPath objects of type X.509. * * @param certPath the CertPath to be validated * @param params the algorithm parameters * @return the result of the validation algorithm * @exception CertPathValidatorException if the CertPath * does not validate * @exception InvalidAlgorithmParameterException if the specified * parameters or the type of the specified CertPath are * inappropriate for this CertPathValidator */ public final CertPathValidatorResult validate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException { return validatorSpi.engineValidate(certPath, params); } /** * Returns the default CertPathValidator type as specified in * the Java security properties file, or the string "PKIX" * if no such property exists. The Java security properties file is * located in the file named <JAVA_HOME>/lib/security/java.security. * <JAVA_HOME> refers to the value of the java.home system property, * and specifies the directory where the JRE is installed. * *

The default CertPathValidator type can be used by * applications that do not want to use a hard-coded type when calling one * of the getInstance methods, and want to provide a default * type in case a user does not specify its own. * *

The default CertPathValidator type can be changed by * setting the value of the "certpathvalidator.type" security property * (in the Java security properties file) to the desired type. * * @return the default CertPathValidator type as specified * in the Java security properties file, or the string "PKIX" * if no such property exists. */ public final static String getDefaultType() { String cpvtype; cpvtype = AccessController.doPrivileged(new PrivilegedAction() { public String run() { return Security.getProperty(CPV_TYPE); } }); if (cpvtype == null) { cpvtype = "PKIX"; } return cpvtype; } }