sun.security.validator: public final class: PKIXValidator

sun.security.validator
public final class: PKIXValidator [javadoc | source]

java.lang.Object
   sun.security.validator.Validator
      sun.security.validator.PKIXValidator

Validator implementation built on the PKIX CertPath API. This implementation will be emphasized going forward.

Note that the validate() implementation tries to use a PKIX validator if that appears possible and a PKIX builder otherwise. This increases performance and currently also leads to better exception messages in case of failures.

author: Andreas - Sterbenz

Fields inherited from sun.security.validator.Validator:
CHAIN0, TYPE_SIMPLE, TYPE_PKIX, VAR_GENERIC, VAR_CODE_SIGNING, VAR_JCE_SIGNING, VAR_TLS_CLIENT, VAR_TLS_SERVER, VAR_TSA_SERVER, VAR_PLUGIN_CODE_SIGNING, endEntityChecker, variant, validationDate

Constructor:
PKIXValidator(String variant, Collection trustedCerts) { super(TYPE_PKIX, variant); if (trustedCerts instanceof Set) { this.trustedCerts = (Set< X509Certificate >)trustedCerts; } else { this.trustedCerts = new HashSet< X509Certificate >(trustedCerts); } Set< TrustAnchor > trustAnchors = new HashSet< TrustAnchor >(); for (X509Certificate cert : trustedCerts) { trustAnchors.add(new TrustAnchor(cert, null)); } try { parameterTemplate = new PKIXBuilderParameters(trustAnchors, null); } catch (InvalidAlgorithmParameterException e) { throw new RuntimeException("Unexpected error: " + e.toString(), e); } setDefaultParameters(variant); initCommon(); }
PKIXValidator(String variant, PKIXBuilderParameters params) { super(TYPE_PKIX, variant); trustedCerts = new HashSet< X509Certificate >(); for (TrustAnchor anchor : params.getTrustAnchors()) { X509Certificate cert = anchor.getTrustedCert(); if (cert != null) { trustedCerts.add(cert); } } parameterTemplate = params; initCommon(); }

Constructor:

 PKIXValidator(String variant,
    Collection trustedCerts) {
        
        super(TYPE_PKIX, variant);
        if (trustedCerts instanceof Set) {
            this.trustedCerts = (Set< X509Certificate >)trustedCerts;
        } else {
            this.trustedCerts = new HashSet< X509Certificate >(trustedCerts);
        }
        Set< TrustAnchor > trustAnchors = new HashSet< TrustAnchor >();
        for (X509Certificate cert : trustedCerts) {
            trustAnchors.add(new TrustAnchor(cert, null));
        }
        try {
            parameterTemplate = new PKIXBuilderParameters(trustAnchors, null);
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException("Unexpected error: " + e.toString(), e);
        }
        setDefaultParameters(variant);
        initCommon();
}

 PKIXValidator(String variant,
    PKIXBuilderParameters params) {
        super(TYPE_PKIX, variant);
        trustedCerts = new HashSet< X509Certificate >();
        for (TrustAnchor anchor : params.getTrustAnchors()) {
            X509Certificate cert = anchor.getTrustedCert();
            if (cert != null) {
                trustedCerts.add(cert);
            }
        }
        parameterTemplate = params;
        initCommon();
}

Method from sun.security.validator.PKIXValidator Summary:
engineValidate, getCertPathLength, getParameters, getTrustedCertificates

Methods from sun.security.validator.Validator:
engineValidate, getInstance, getInstance, getInstance, getTrustedCertificates, setValidationDate, validate, validate, validate

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from sun.security.validator.PKIXValidator Detail:
X509Certificate[] engineValidate(X509Certificate[] chain, Collection otherCerts, Object parameter) throws CertificateException { if ((chain == null) \|\| (chain.length == 0)) { throw new CertificateException ("null or zero-length certificate chain"); } if (TRY_VALIDATOR) { // check if chain contains trust anchor for (int i = 0; i < chain.length; i++) { if (trustedCerts.contains(chain[i])) { if (i == 0) { return new X509Certificate[] {chain[0]}; } // Remove and call validator X509Certificate[] newChain = new X509Certificate[i]; System.arraycopy(chain, 0, newChain, 0, i); return doValidate(newChain); } } // not self issued and apparently issued by trust anchor? X509Certificate last = chain[chain.length - 1]; X500Principal issuer = last.getIssuerX500Principal(); X500Principal subject = last.getSubjectX500Principal(); if (trustedSubjects.containsKey(issuer) && !issuer.equals(subject) && isSignatureValid(trustedSubjects.get(issuer), last)) { return doValidate(chain); } // don't fallback to builder if called from plugin/webstart if (plugin) { // Validate chain even if no trust anchor is found. This // allows plugin/webstart to make sure the chain is // otherwise valid if (chain.length > 1) { X509Certificate[] newChain = new X509Certificate[chain.length-1]; System.arraycopy(chain, 0, newChain, 0, newChain.length); // temporarily set last cert as sole trust anchor PKIXBuilderParameters params = (PKIXBuilderParameters) parameterTemplate.clone(); try { params.setTrustAnchors (Collections.singleton(new TrustAnchor (chain[chain.length-1], null))); } catch (InvalidAlgorithmParameterException iape) { // should never occur, but ... throw new CertificateException(iape); } doValidate(newChain, params); } // if the rest of the chain is valid, throw exception // indicating no trust anchor was found throw new ValidatorException (ValidatorException.T_NO_TRUST_ANCHOR); } // otherwise, fall back to builder } return doBuild(chain, otherCerts); }
public int getCertPathLength() { return certPathLength; } Returns the length of the last certification path that is validated by CertPathValidator. This is intended primarily as a callback mechanism for PKIXCertPathCheckers to determine the length of the certification path that is being validated. It is necessary since engineValidate() may modify the length of the path.
public PKIXBuilderParameters getParameters() { return parameterTemplate; } Return the PKIX parameters used by this instance. An application may modify the parameters but must make sure not to perform any concurrent validations.
public Collection getTrustedCertificates() { return trustedCerts; }