com.tencent.kona.sun.security.validator

Class Validator

java.lang.Object

com.tencent.kona.sun.security.validator.Validator

Direct Known Subclasses:

PKIXValidator, SimpleValidator

public abstract class Validator
extends java.lang.Object

Validator abstract base class. Concrete classes are instantiated by calling one of the getInstance() methods. All methods defined in this class must be safe for concurrent use by multiple threads.

The model is that a Validator instance is created specifying validation settings, such as trust anchors or PKIX parameters. Then one or more paths are validated using those parameters. In some cases, additional information can be provided per path validation. This is independent of the validation parameters and currently only used for TLS server validation.

Path validation is performed by calling one of the validate() methods. It specifies a suggested path to be used for validation if available, or only the end entity certificate otherwise. Optionally additional certificates can be specified that the caller believes could be helpful. Implementations are free to make use of this information or validate the path using other means. validate() also checks that the end entity certificate is suitable for the intended purpose as described below.

There are two orthogonal parameters to select the Validator implementation: type and variant. Type selects the validation algorithm. Currently supported are TYPE_SIMPLE and TYPE_PKIX. See SimpleValidator and PKIXValidator for details.

Variant controls additional extension checks. Currently supported are five variants:

• VAR_GENERIC (no additional checks),
• VAR_TLS_CLIENT (TLS client specific checks)
• VAR_TLS_SERVER (TLS server specific checks), and
• VAR_CODE_SIGNING (code signing specific checks).
• VAR_JCE_SIGNING (JCE code signing specific checks).
• VAR_TSA_SERVER (TSA server specific checks).

See EndEntityChecker for more information.

Examples:

   // instantiate validator specifying type, variant, and trust anchors
   Validator validator = Validator.getInstance(Validator.TYPE_PKIX,
                                               Validator.VAR_TLS_CLIENT,
                                               trustedCerts);
   // validate one or more chains using the validator
   validator.validate(chain); // throws CertificateException if failed
 

See Also:

SimpleValidator, PKIXValidator, EndEntityChecker

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	TYPE_PKIX Constant for a validator of type PKIX.
static java.lang.String	TYPE_SIMPLE Constant for a validator of type Simple.
static java.lang.String	VAR_CODE_SIGNING Constant for a Code Signing variant of a validator.
static java.lang.String	VAR_GENERIC Constant for a Generic variant of a validator.
static java.lang.String	VAR_JCE_SIGNING Constant for a JCE Code Signing variant of a validator.
static java.lang.String	VAR_TLS_CLIENT Constant for a TLS Client variant of a validator.
static java.lang.String	VAR_TLS_SERVER Constant for a TLS Server variant of a validator.
static java.lang.String	VAR_TSA_SERVER Constant for a TSA Server variant of a validator.

Method Summary

Modifier and Type	Method and Description
static Validator	getInstance(java.lang.String type, java.lang.String variant, java.util.Collection<java.security.cert.X509Certificate> trustedCerts) Get a new Validator instance using the Set of X509Certificates as trust anchors.
static Validator	getInstance(java.lang.String type, java.lang.String variant, java.security.KeyStore ks) Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.
static Validator	getInstance(java.lang.String type, java.lang.String variant, java.security.cert.PKIXBuilderParameters params) Get a new Validator instance using the provided PKIXBuilderParameters.
abstract java.util.Collection<java.security.cert.X509Certificate>	getTrustedCertificates() Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.
void	setValidationDate(java.util.Date validationDate) Deprecated.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain) Validate the given certificate chain.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain, java.util.Collection<java.security.cert.X509Certificate> otherCerts) Validate the given certificate chain.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain, java.util.Collection<java.security.cert.X509Certificate> otherCerts, java.util.List<byte[]> responseList, java.security.AlgorithmConstraints constraints, java.lang.Object parameter) Validate the given certificate chain.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain, java.util.Collection<java.security.cert.X509Certificate> otherCerts, java.lang.Object parameter) Validate the given certificate chain.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TYPE_SIMPLE

public static final java.lang.String TYPE_SIMPLE

Constant for a validator of type Simple.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

TYPE_PKIX

public static final java.lang.String TYPE_PKIX

Constant for a validator of type PKIX.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_GENERIC

public static final java.lang.String VAR_GENERIC

Constant for a Generic variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_CODE_SIGNING

public static final java.lang.String VAR_CODE_SIGNING

Constant for a Code Signing variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_JCE_SIGNING

public static final java.lang.String VAR_JCE_SIGNING

Constant for a JCE Code Signing variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_TLS_CLIENT

public static final java.lang.String VAR_TLS_CLIENT

Constant for a TLS Client variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_TLS_SERVER

public static final java.lang.String VAR_TLS_SERVER

Constant for a TLS Server variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_TSA_SERVER

public static final java.lang.String VAR_TSA_SERVER

Constant for a TSA Server variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

Method Detail

getInstance

public static Validator getInstance(java.lang.String type,
                                    java.lang.String variant,
                                    java.security.KeyStore ks)

Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.

getInstance

public static Validator getInstance(java.lang.String type,
                                    java.lang.String variant,
                                    java.util.Collection<java.security.cert.X509Certificate> trustedCerts)

Get a new Validator instance using the Set of X509Certificates as trust anchors.

getInstance

public static Validator getInstance(java.lang.String type,
                                    java.lang.String variant,
                                    java.security.cert.PKIXBuilderParameters params)

Get a new Validator instance using the provided PKIXBuilderParameters. This method can only be used with the PKIX validator.

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain.

Throws:

java.security.cert.CertificateException

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain,
                                                           java.util.Collection<java.security.cert.X509Certificate> otherCerts)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

Throws:

java.security.cert.CertificateException

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain,
                                                           java.util.Collection<java.security.cert.X509Certificate> otherCerts,
                                                           java.lang.Object parameter)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

Returns:

a non-empty chain that was used to validate the path. The end entity cert is at index 0, the trust anchor at index n-1.

Throws:

java.security.cert.CertificateException

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain,
                                                           java.util.Collection<java.security.cert.X509Certificate> otherCerts,
                                                           java.util.List<byte[]> responseList,
                                                           java.security.AlgorithmConstraints constraints,
                                                           java.lang.Object parameter)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain.

Parameters:

chain - the target certificate chain

otherCerts - a Collection of additional X509Certificates that could be helpful for path building (or null)

responseList - a List of zero or more byte arrays, each one being a DER-encoded OCSP response (per RFC 6960). Entries in the List must match the order of the certificates in the chain parameter. It is possible that fewer responses may be in the list than are elements in chain and a missing response for a matching element in chain can be represented with a zero-length byte array.

constraints - algorithm constraints for certification path processing

parameter - an additional parameter object to pass specific data. This parameter object maybe one of the two below: 1) TLS_SERVER variant validators, where it must be non-null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). 2) Timestamp object from a signed JAR file.

Returns:

a non-empty chain that was used to validate the path. The end entity cert is at index 0, the trust anchor at index n-1.

Throws:

java.security.cert.CertificateException

getTrustedCertificates

public abstract java.util.Collection<java.security.cert.X509Certificate> getTrustedCertificates()

Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.

setValidationDate

@Deprecated
public void setValidationDate(java.util.Date validationDate)

Deprecated.

Set the date to be used for subsequent validations. NOTE that this is not a supported API, it is provided to simplify writing tests only.