sun.security.validator: abstract public class: Validator

sun.security.validator
abstract public class: Validator [javadoc | source]

java.lang.Object
   sun.security.validator.Validator

Direct Known Subclasses:
SimpleValidator, PKIXValidator

Validator abstract base class. Concrete classes are instantiated by calling one of the getInstance() methods. All methods defined in this class must be safe for concurrent use by multiple threads.

The model is that a Validator instance is created specifying validation settings, such as trust anchors or PKIX parameters. Then one or more paths are validated using those parameters. In some cases, additional information can be provided per path validation. This is independent of the validation parameters and currently only used for TLS server validation.

Path validation is performed by calling one of the validate() methods. It specifies a suggested path to be used for validation if available, or only the end entity certificate otherwise. Optionally additional certificates can be specified that the caller believes could be helpful. Implementations are free to make use of this information or validate the path using other means. validate() also checks that the end entity certificate is suitable for the intended purpose as described below.

There are two orthogonal parameters to select the Validator implementation: type and variant. Type selects the validation algorithm. Currently supported are TYPE_SIMPLE and TYPE_PKIX. See SimpleValidator and PKIXValidator for details.

Variant controls additional extension checks. Currently supported are five variants:

VAR_GENERIC (no additional checks),
VAR_TLS_CLIENT (TLS client specific checks)
VAR_TLS_SERVER (TLS server specific checks), and
VAR_CODE_SIGNING (code signing specific checks).
VAR_JCE_SIGNING (JCE code signing specific checks).
VAR_TSA_SERVER (TSA server specific checks).
VAR_PLUGIN_CODE_SIGNING (Plugin/WebStart code signing specific checks).

See EndEntityChecker for more information.

Examples:

// instantiate validator specifying type, variant, and trust anchors
Validator validator = Validator.getInstance(Validator.TYPE_PKIX,
Validator.VAR_TLS_CLIENT,
trustedCerts);
// validate one or more chains using the validator
validator.validate(chain); // throws CertificateException if failed

Also see:

SimpleValidator

PKIXValidator

EndEntityChecker

author: Andreas - Sterbenz

Field Summary
static final X509Certificate[]	CHAIN0
public static final String	TYPE_SIMPLE	Constant for a validator of type Simple. Also see: getInstance
public static final String	TYPE_PKIX	Constant for a validator of type PKIX. Also see: getInstance
public static final String	VAR_GENERIC	Constant for a Generic variant of a validator. Also see: getInstance
public static final String	VAR_CODE_SIGNING	Constant for a Code Signing variant of a validator. Also see: getInstance
public static final String	VAR_JCE_SIGNING	Constant for a JCE Code Signing variant of a validator. Also see: getInstance
public static final String	VAR_TLS_CLIENT	Constant for a TLS Client variant of a validator. Also see: getInstance
public static final String	VAR_TLS_SERVER	Constant for a TLS Server variant of a validator. Also see: getInstance
public static final String	VAR_TSA_SERVER	Constant for a TSA Server variant of a validator. Also see: getInstance
public static final String	VAR_PLUGIN_CODE_SIGNING	Constant for a Code Signing variant of a validator for use by the J2SE Plugin/WebStart code. Also see: getInstance
final EndEntityChecker	endEntityChecker
final String	variant
volatile Date	validationDate	Also see: setValidationDate

Constructor:
Validator(String type, String variant) { this.variant = variant; endEntityChecker = EndEntityChecker.getInstance(type, variant); }

Constructor:

 Validator(String type,
    String variant) {
        
        this.variant = variant;
        endEntityChecker = EndEntityChecker.getInstance(type, variant);
}

Method from sun.security.validator.Validator Summary:
engineValidate, getInstance, getInstance, getInstance, getTrustedCertificates, setValidationDate, validate, validate, validate

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from sun.security.validator.Validator Detail:
abstract X509Certificate[] engineValidate(X509Certificate[] chain, Collection otherCerts, Object parameter) throws CertificateException
public static Validator getInstance(String type, String variant, KeyStore ks) { return getInstance(type, variant, KeyStores.getTrustedCerts(ks)); } Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.
public static Validator getInstance(String type, String variant, Collection trustedCerts) { if (type.equals(TYPE_SIMPLE)) { return new SimpleValidator(variant, trustedCerts); } else if (type.equals(TYPE_PKIX)) { return new PKIXValidator(variant, trustedCerts); } else { throw new IllegalArgumentException ("Unknown validator type: " + type); } } Get a new Validator instance using the Set of X509Certificates as trust anchors.
public static Validator getInstance(String type, String variant, PKIXBuilderParameters params) { if (type.equals(TYPE_PKIX) == false) { throw new IllegalArgumentException ("getInstance(PKIXBuilderParameters) can only be used " + "with PKIX validator"); } return new PKIXValidator(variant, params); } Get a new Validator instance using the provided PKIXBuilderParameters. This method can only be used with the PKIX validator.
abstract public Collection getTrustedCertificates() Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.
public void setValidationDate(Date validationDate) { this.validationDate = validationDate; } Deprecated! Set the date to be used for subsequent validations. NOTE that this is not a supported API, it is provided to simplify writing tests only.
public final X509Certificate[] validate(X509Certificate[] chain) throws CertificateException { return validate(chain, null, null); } Validate the given certificate chain.
public final X509Certificate[] validate(X509Certificate[] chain, Collection otherCerts) throws CertificateException { return validate(chain, otherCerts, null); } Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.
public final X509Certificate[] validate(X509Certificate[] chain, Collection otherCerts, Object parameter) throws CertificateException { chain = engineValidate(chain, otherCerts, parameter); // omit EE extension check if EE cert is also trust anchor if (chain.length > 1) { endEntityChecker.check(chain[0], parameter); } return chain; } Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building. Parameter is an additional parameter with variant specific meaning. Currently, it is only defined for TLS_SERVER variant validators, where it must be non null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). In the future, it could be used to pass in a PKCS#7 object for code signing to check time stamps.

Method from sun.security.validator.Validator Detail:

 abstract X509Certificate[] engineValidate(X509Certificate[] chain,
    Collection otherCerts,
    Object parameter) throws CertificateException

 public static Validator getInstance(String type,
    String variant,
    KeyStore ks) {
        return getInstance(type, variant, KeyStores.getTrustedCerts(ks));
}

Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.

 public static Validator getInstance(String type,
    String variant,
    Collection trustedCerts) {
        if (type.equals(TYPE_SIMPLE)) {
            return new SimpleValidator(variant, trustedCerts);
        } else if (type.equals(TYPE_PKIX)) {
            return new PKIXValidator(variant, trustedCerts);
        } else {
            throw new IllegalArgumentException
                ("Unknown validator type: " + type);
        }
}

Get a new Validator instance using the Set of X509Certificates as trust anchors.

 public static Validator getInstance(String type,
    String variant,
    PKIXBuilderParameters params) {
        if (type.equals(TYPE_PKIX) == false) {
            throw new IllegalArgumentException
                ("getInstance(PKIXBuilderParameters) can only be used "
                + "with PKIX validator");
        }
        return new PKIXValidator(variant, params);
}

Get a new Validator instance using the provided PKIXBuilderParameters. This method can only be used with the PKIX validator.

 abstract public Collection getTrustedCertificates()Returns an immutable Collection of the X509Certificates this instance
uses as trust anchors.

 public  void setValidationDate(Date validationDate) {
        this.validationDate = validationDate;
}

Deprecated!

Set the date to be used for subsequent validations. NOTE that this is not a supported API, it is provided to simplify writing tests only.

 public final X509Certificate[] validate(X509Certificate[] chain) throws CertificateException {
        return validate(chain, null, null);
}

Validate the given certificate chain.

 public final X509Certificate[] validate(X509Certificate[] chain,
    Collection otherCerts) throws CertificateException {
        return validate(chain, otherCerts, null);
}

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

 public final X509Certificate[] validate(X509Certificate[] chain,
    Collection otherCerts,
    Object parameter) throws CertificateException {
        chain = engineValidate(chain, otherCerts, parameter);
        // omit EE extension check if EE cert is also trust anchor
        if (chain.length  > 1) {
            endEntityChecker.check(chain[0], parameter);
        }
        return chain;
}

Parameter is an additional parameter with variant specific meaning. Currently, it is only defined for TLS_SERVER variant validators, where it must be non null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). In the future, it could be used to pass in a PKCS#7 object for code signing to check time stamps.