1 /* 2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.security.AccessController; 29 import java.security.InvalidAlgorithmParameterException; 30 import java.security.NoSuchAlgorithmException; 31 import java.security.NoSuchProviderException; 32 import java.security.PrivilegedAction; 33 import java.security.Provider; 34 import java.security.Security; 35 import sun.security.util.Debug; 36 37 import sun.security.jca.*; 38 import sun.security.jca.GetInstance.Instance; 39 40 /** 41 * A class for validating certification paths (also known as certificate 42 * chains). 43 * <p> 44 * This class uses a provider-based architecture. 45 * To create a {@code CertPathValidator}, 46 * call one of the static {@code getInstance} methods, passing in the 47 * algorithm name of the {@code CertPathValidator} desired and 48 * optionally the name of the provider desired. 49 * 50 * <p>Once a {@code CertPathValidator} object has been created, it can 51 * be used to validate certification paths by calling the {@link #validate 52 * validate} method and passing it the {@code CertPath} to be validated 53 * and an algorithm-specific set of parameters. If successful, the result is 54 * returned in an object that implements the 55 * {@code CertPathValidatorResult} interface. 56 * 57 * <p>The {@link #getRevocationChecker} method allows an application to specify 58 * additional algorithm-specific parameters and options used by the 59 * {@code CertPathValidator} when checking the revocation status of 60 * certificates. Here is an example demonstrating how it is used with the PKIX 61 * algorithm: 62 * 63 * <pre> 64 * CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); 65 * PKIXRevocationChecker rc = (PKIXRevocationChecker)cpv.getRevocationChecker(); 66 * rc.setOptions(EnumSet.of(Option.SOFT_FAIL)); 67 * params.addCertPathChecker(rc); 68 * CertPathValidatorResult cpvr = cpv.validate(path, params); 69 * </pre> 70 * 71 * <p> Android provides the following {@code CertPathValidator} algorithms: 72 * <table> 73 * <thead> 74 * <tr> 75 * <th>Algorithm</th> 76 * <th>Supported API Levels</th> 77 * </tr> 78 * </thead> 79 * <tbody> 80 * <tr> 81 * <td>PKIX</td> 82 * <td>1+</td> 83 * </tr> 84 * </tbody> 85 * </table> 86 * 87 * This algorithm is described in the <a href= 88 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#CertPathValidator"> 89 * CertPathValidator section</a> of the 90 * Java Cryptography Architecture Standard Algorithm Name Documentation. 91 * 92 * <p> 93 * <b>Concurrent Access</b> 94 * <p> 95 * The static methods of this class are guaranteed to be thread-safe. 96 * Multiple threads may concurrently invoke the static methods defined in 97 * this class with no ill effects. 98 * <p> 99 * However, this is not true for the non-static methods defined by this class. 100 * Unless otherwise documented by a specific provider, threads that need to 101 * access a single {@code CertPathValidator} instance concurrently should 102 * synchronize amongst themselves and provide the necessary locking. Multiple 103 * threads each manipulating a different {@code CertPathValidator} 104 * instance need not synchronize. 105 * 106 * @see CertPath 107 * 108 * @since 1.4 109 * @author Yassir Elley 110 */ 111 public class CertPathValidator { 112 113 /* 114 * Constant to lookup in the Security properties file to determine 115 * the default certpathvalidator type. In the Security properties file, 116 * the default certpathvalidator type is given as: 117 * <pre> 118 * certpathvalidator.type=PKIX 119 * </pre> 120 */ 121 private static final String CPV_TYPE = "certpathvalidator.type"; 122 private final CertPathValidatorSpi validatorSpi; 123 private final Provider provider; 124 private final String algorithm; 125 126 /** 127 * Creates a {@code CertPathValidator} object of the given algorithm, 128 * and encapsulates the given provider implementation (SPI object) in it. 129 * 130 * @param validatorSpi the provider implementation 131 * @param provider the provider 132 * @param algorithm the algorithm name 133 */ 134 protected CertPathValidator(CertPathValidatorSpi validatorSpi, 135 Provider provider, String algorithm) 136 { 137 this.validatorSpi = validatorSpi; 138 this.provider = provider; 139 this.algorithm = algorithm; 140 } 141 142 /** 143 * Returns a {@code CertPathValidator} object that implements the 144 * specified algorithm. 145 * 146 * <p> This method traverses the list of registered security Providers, 147 * starting with the most preferred Provider. 148 * A new CertPathValidator object encapsulating the 149 * CertPathValidatorSpi implementation from the first 150 * Provider that supports the specified algorithm is returned. 151 * 152 * <p> Note that the list of registered providers may be retrieved via 153 * the {@link Security#getProviders() Security.getProviders()} method. 154 * 155 * @param algorithm the name of the requested {@code CertPathValidator} 156 * algorithm. See the CertPathValidator section in the <a href= 157 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#CertPathValidator"> 158 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 159 * for information about standard algorithm names. 160 * 161 * @return a {@code CertPathValidator} object that implements the 162 * specified algorithm. 163 * 164 * @exception NoSuchAlgorithmException if no Provider supports a 165 * CertPathValidatorSpi implementation for the 166 * specified algorithm. 167 * 168 * @see java.security.Provider 169 */ 170 public static CertPathValidator getInstance(String algorithm) 171 throws NoSuchAlgorithmException { 172 Instance instance = GetInstance.getInstance("CertPathValidator", 173 CertPathValidatorSpi.class, algorithm); 174 return new CertPathValidator((CertPathValidatorSpi)instance.impl, 175 instance.provider, algorithm); 176 } 177 178 /** 179 * Returns a {@code CertPathValidator} object that implements the 180 * specified algorithm. 181 * 182 * <p> A new CertPathValidator object encapsulating the 183 * CertPathValidatorSpi implementation from the specified provider 184 * is returned. The specified provider must be registered 185 * in the security provider list. 186 * 187 * <p> Note that the list of registered providers may be retrieved via 188 * the {@link Security#getProviders() Security.getProviders()} method. 189 * 190 * @param algorithm the name of the requested {@code CertPathValidator} 191 * algorithm. See the CertPathValidator section in the <a href= 192 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#CertPathValidator"> 193 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 194 * for information about standard algorithm names. 195 * 196 * @param provider the name of the provider. 197 * 198 * @return a {@code CertPathValidator} object that implements the 199 * specified algorithm. 200 * 201 * @exception NoSuchAlgorithmException if a CertPathValidatorSpi 202 * implementation for the specified algorithm is not 203 * available from the specified provider. 204 * 205 * @exception NoSuchProviderException if the specified provider is not 206 * registered in the security provider list. 207 * 208 * @exception IllegalArgumentException if the {@code provider} is 209 * null or empty. 210 * 211 * @see java.security.Provider 212 */ 213 public static CertPathValidator getInstance(String algorithm, 214 String provider) throws NoSuchAlgorithmException, 215 NoSuchProviderException { 216 Instance instance = GetInstance.getInstance("CertPathValidator", 217 CertPathValidatorSpi.class, algorithm, provider); 218 return new CertPathValidator((CertPathValidatorSpi)instance.impl, 219 instance.provider, algorithm); 220 } 221 222 /** 223 * Returns a {@code CertPathValidator} object that implements the 224 * specified algorithm. 225 * 226 * <p> A new CertPathValidator object encapsulating the 227 * CertPathValidatorSpi implementation from the specified Provider 228 * object is returned. Note that the specified Provider object 229 * does not have to be registered in the provider list. 230 * 231 * @param algorithm the name of the requested {@code CertPathValidator} 232 * algorithm. See the CertPathValidator section in the <a href= 233 * "{@docRoot}openjdk-redirect.html?v=8&path=/technotes/guides/security/StandardNames.html#CertPathValidator"> 234 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> 235 * for information about standard algorithm names. 236 * 237 * @param provider the provider. 238 * 239 * @return a {@code CertPathValidator} object that implements the 240 * specified algorithm. 241 * 242 * @exception NoSuchAlgorithmException if a CertPathValidatorSpi 243 * implementation for the specified algorithm is not available 244 * from the specified Provider object. 245 * 246 * @exception IllegalArgumentException if the {@code provider} is 247 * null. 248 * 249 * @see java.security.Provider 250 */ 251 public static CertPathValidator getInstance(String algorithm, 252 Provider provider) throws NoSuchAlgorithmException { 253 Instance instance = GetInstance.getInstance("CertPathValidator", 254 CertPathValidatorSpi.class, algorithm, provider); 255 return new CertPathValidator((CertPathValidatorSpi)instance.impl, 256 instance.provider, algorithm); 257 } 258 259 /** 260 * Returns the {@code Provider} of this 261 * {@code CertPathValidator}. 262 * 263 * @return the {@code Provider} of this {@code CertPathValidator} 264 */ 265 public final Provider getProvider() { 266 return this.provider; 267 } 268 269 /** 270 * Returns the algorithm name of this {@code CertPathValidator}. 271 * 272 * @return the algorithm name of this {@code CertPathValidator} 273 */ 274 public final String getAlgorithm() { 275 return this.algorithm; 276 } 277 278 /** 279 * Validates the specified certification path using the specified 280 * algorithm parameter set. 281 * <p> 282 * The {@code CertPath} specified must be of a type that is 283 * supported by the validation algorithm, otherwise an 284 * {@code InvalidAlgorithmParameterException} will be thrown. For 285 * example, a {@code CertPathValidator} that implements the PKIX 286 * algorithm validates {@code CertPath} objects of type X.509. 287 * 288 * @param certPath the {@code CertPath} to be validated 289 * @param params the algorithm parameters 290 * @return the result of the validation algorithm 291 * @exception CertPathValidatorException if the {@code CertPath} 292 * does not validate 293 * @exception InvalidAlgorithmParameterException if the specified 294 * parameters or the type of the specified {@code CertPath} are 295 * inappropriate for this {@code CertPathValidator} 296 */ 297 public final CertPathValidatorResult validate(CertPath certPath, 298 CertPathParameters params) 299 throws CertPathValidatorException, InvalidAlgorithmParameterException 300 { 301 return validatorSpi.engineValidate(certPath, params); 302 } 303 304 /** 305 * Returns the default {@code CertPathValidator} type as specified by 306 * the {@code certpathvalidator.type} security property, or the string 307 * {@literal "PKIX"} if no such property exists. 308 * 309 * <p>The default {@code CertPathValidator} type can be used by 310 * applications that do not want to use a hard-coded type when calling one 311 * of the {@code getInstance} methods, and want to provide a default 312 * type in case a user does not specify its own. 313 * 314 * <p>The default {@code CertPathValidator} type can be changed by 315 * setting the value of the {@code certpathvalidator.type} security 316 * property to the desired type. 317 * 318 * @see java.security.Security security properties 319 * @return the default {@code CertPathValidator} type as specified 320 * by the {@code certpathvalidator.type} security property, or the string 321 * {@literal "PKIX"} if no such property exists. 322 */ 323 public final static String getDefaultType() { 324 String cpvtype = 325 AccessController.doPrivileged(new PrivilegedAction<String>() { 326 public String run() { 327 return Security.getProperty(CPV_TYPE); 328 } 329 }); 330 return (cpvtype == null) ? "PKIX" : cpvtype; 331 } 332 333 /** 334 * Returns a {@code CertPathChecker} that the encapsulated 335 * {@code CertPathValidatorSpi} implementation uses to check the revocation 336 * status of certificates. A PKIX implementation returns objects of 337 * type {@code PKIXRevocationChecker}. Each invocation of this method 338 * returns a new instance of {@code CertPathChecker}. 339 * 340 * <p>The primary purpose of this method is to allow callers to specify 341 * additional input parameters and options specific to revocation checking. 342 * See the class description for an example. 343 * 344 * @return a {@code CertPathChecker} 345 * @throws UnsupportedOperationException if the service provider does not 346 * support this method 347 * @since 1.8 348 */ 349 public final CertPathChecker getRevocationChecker() { 350 return validatorSpi.engineGetRevocationChecker(); 351 } 352 } 353
