java/15 : java.base/java/security/cert/PKIXCertPathChecker.java

PKIXCertPathChecker
https://openjdk.java.net/
GPLv2 + Classpath Exception
/*
 * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package java.security.cert;

import java.util.Collection;
import java.util.Set;

An abstract class that performs one or more checks on an X509Certificate. A concrete implementation of the PKIXCertPathChecker class can be created to extend the PKIX certification path validation algorithm. For example, an implementation may check for and process a critical private extension of each certificate in a certification path. 
Instances of PKIXCertPathChecker are passed as parameters using the setCertPathCheckers or addCertPathChecker methods of the PKIXParameters and PKIXBuilderParameters class. Each of the PKIXCertPathCheckers check methods will be called, in turn, for each certificate processed by a PKIX CertPathValidator or CertPathBuilder implementation. 
A PKIXCertPathChecker may be called multiple times on successive certificates in a certification path. Concrete subclasses are expected to maintain any internal state that may be necessary to check successive certificates. The init method is used to initialize the internal state of the checker so that the certificates of a new certification path may be checked. A stateful implementation must override the clone method if necessary in order to allow a PKIX CertPathBuilder to efficiently backtrack and try other paths. In these situations, the CertPathBuilder is able to restore prior path validation states by restoring the cloned PKIXCertPathCheckers. 
The order in which the certificates are presented to the PKIXCertPathChecker may be either in the forward direction (from target to most-trusted CA) or in the reverse direction (from most-trusted CA to target). A PKIXCertPathChecker implementation must support reverse checking (the ability to perform its checks when
it is presented with certificates in the reverse direction) and may support forward checking (the ability to perform its checks when it is presented with certificates in the forward direction). The isForwardCheckingSupported method indicates whether forward checking is supported. 

Additional input parameters required for executing the check may be
specified through constructors of concrete implementations of this class.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not
thread-safe. Multiple threads that need to access a single
object concurrently should synchronize amongst themselves and
provide the necessary locking. Multiple threads each manipulating
separate objects need not synchronize.
Author:      Yassir Elley,      Sean Mullan
See Also: PKIXParameters
PKIXBuilderParameters
Since:       1.4/**
 * An abstract class that performs one or more checks on an
 * {@code X509Certificate}.
 *
 * <p>A concrete implementation of the {@code PKIXCertPathChecker} class
 * can be created to extend the PKIX certification path validation algorithm.
 * For example, an implementation may check for and process a critical private
 * extension of each certificate in a certification path.
 *
 * <p>Instances of {@code PKIXCertPathChecker} are passed as parameters
 * using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers}
 * or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods
 * of the {@code PKIXParameters} and {@code PKIXBuilderParameters}
 * class. Each of the {@code PKIXCertPathChecker}s {@link #check check}
 * methods will be called, in turn, for each certificate processed by a PKIX
 * {@code CertPathValidator} or {@code CertPathBuilder}
 * implementation.
 *
 * <p>A {@code PKIXCertPathChecker} may be called multiple times on
 * successive certificates in a certification path. Concrete subclasses
 * are expected to maintain any internal state that may be necessary to
 * check successive certificates. The {@link #init init} method is used
 * to initialize the internal state of the checker so that the certificates
 * of a new certification path may be checked. A stateful implementation
 * <b>must</b> override the {@link #clone clone} method if necessary in
 * order to allow a PKIX {@code CertPathBuilder} to efficiently
 * backtrack and try other paths. In these situations, the
 * {@code CertPathBuilder} is able to restore prior path validation
 * states by restoring the cloned {@code PKIXCertPathChecker}s.
 *
 * <p>The order in which the certificates are presented to the
 * {@code PKIXCertPathChecker} may be either in the forward direction
 * (from target to most-trusted CA) or in the reverse direction (from
 * most-trusted CA to target). A {@code PKIXCertPathChecker} implementation
 * <b>must</b> support reverse checking (the ability to perform its checks when
 * it is presented with certificates in the reverse direction) and <b>may</b>
 * support forward checking (the ability to perform its checks when it is
 * presented with certificates in the forward direction). The
 * {@link #isForwardCheckingSupported isForwardCheckingSupported} method
 * indicates whether forward checking is supported.
 * <p>
 * Additional input parameters required for executing the check may be
 * specified through constructors of concrete implementations of this class.
 * <p>
 * <b>Concurrent Access</b>
 * <p>
 * Unless otherwise specified, the methods defined in this class are not
 * thread-safe. Multiple threads that need to access a single
 * object concurrently should synchronize amongst themselves and
 * provide the necessary locking. Multiple threads each manipulating
 * separate objects need not synchronize.
 *
 * @see PKIXParameters
 * @see PKIXBuilderParameters
 *
 * @since       1.4
 * @author      Yassir Elley
 * @author      Sean Mullan
 */
public abstract class PKIXCertPathChecker
    implements CertPathChecker, Cloneable {

    Default constructor.
/**
     * Default constructor.
     */
    protected PKIXCertPathChecker() {}

    Initializes the internal state of this PKIXCertPathChecker.  The forward flag specifies the order that certificates will be passed to the check method (forward or reverse). A PKIXCertPathChecker must
support reverse checking and may support forward checking.
Params: forward – the order that certificates are presented to the check method. If true, certificates are presented from target to most-trusted CA (forward); if false, from most-trusted CA to target (reverse).
Throws: CertPathValidatorException – if this PKIXCertPathChecker is unable to check certificates in the specified order; it should never be thrown if the forward flag is false since reverse checking must be supported/**
     * Initializes the internal state of this {@code PKIXCertPathChecker}.
     * <p>
     * The {@code forward} flag specifies the order that
     * certificates will be passed to the {@link #check check} method
     * (forward or reverse). A {@code PKIXCertPathChecker} <b>must</b>
     * support reverse checking and <b>may</b> support forward checking.
     *
     * @param forward the order that certificates are presented to
     * the {@code check} method. If {@code true}, certificates
     * are presented from target to most-trusted CA (forward); if
     * {@code false}, from most-trusted CA to target (reverse).
     * @throws CertPathValidatorException if this
     * {@code PKIXCertPathChecker} is unable to check certificates in
     * the specified order; it should never be thrown if the forward flag
     * is false since reverse checking must be supported
     */
    @Override
    public abstract void init(boolean forward)
        throws CertPathValidatorException;

    Indicates if forward checking is supported. Forward checking refers to the ability of the PKIXCertPathChecker to perform its checks when certificates are presented to the check method in the forward direction (from target to most-trusted CA). 
Returns: true if forward checking is supported, false otherwise/**
     * Indicates if forward checking is supported. Forward checking refers
     * to the ability of the {@code PKIXCertPathChecker} to perform
     * its checks when certificates are presented to the {@code check}
     * method in the forward direction (from target to most-trusted CA).
     *
     * @return {@code true} if forward checking is supported,
     * {@code false} otherwise
     */
    @Override
    public abstract boolean isForwardCheckingSupported();

    Returns an immutable Set of X.509 certificate extensions that this PKIXCertPathChecker supports (i.e. recognizes, is able to process), or null if no extensions are supported.  Each element of the set is a String representing the Object Identifier (OID) of the X.509 extension that is supported. The OID is represented by a set of nonnegative integers separated by periods. 
 All X.509 certificate extensions that a PKIXCertPathChecker might possibly be able to process should be included in the set. 
Returns: an immutable Set of X.509 extension OIDs (in String format) supported by this PKIXCertPathChecker, or null if no extensions are supported/**
     * Returns an immutable {@code Set} of X.509 certificate extensions
     * that this {@code PKIXCertPathChecker} supports (i.e. recognizes, is
     * able to process), or {@code null} if no extensions are supported.
     * <p>
     * Each element of the set is a {@code String} representing the
     * Object Identifier (OID) of the X.509 extension that is supported.
     * The OID is represented by a set of nonnegative integers separated by
     * periods.
     * <p>
     * All X.509 certificate extensions that a {@code PKIXCertPathChecker}
     * might possibly be able to process should be included in the set.
     *
     * @return an immutable {@code Set} of X.509 extension OIDs (in
     * {@code String} format) supported by this
     * {@code PKIXCertPathChecker}, or {@code null} if no
     * extensions are supported
     */
    public abstract Set<String> getSupportedExtensions();

    Performs the check(s) on the specified certificate using its internal state and removes any critical extensions that it processes from the specified collection of OID strings that represent the unresolved critical extensions. The certificates are presented in the order specified by the init method. 
Params: cert – the Certificate to be checked
unresolvedCritExts – a Collection of OID strings representing the current set of unresolved critical extensions
Throws: CertPathValidatorException – if the specified certificate does
not pass the check/**
     * Performs the check(s) on the specified certificate using its internal
     * state and removes any critical extensions that it processes from the
     * specified collection of OID strings that represent the unresolved
     * critical extensions. The certificates are presented in the order
     * specified by the {@code init} method.
     *
     * @param cert the {@code Certificate} to be checked
     * @param unresolvedCritExts a {@code Collection} of OID strings
     * representing the current set of unresolved critical extensions
     * @throws    CertPathValidatorException if the specified certificate does
     * not pass the check
     */
    public abstract void check(Certificate cert,
            Collection<String> unresolvedCritExts)
            throws CertPathValidatorException;

    {@inheritDoc}
This implementation calls check(cert, java.util.Collections.<String>emptySet()). /**
     * {@inheritDoc}
     *
     * <p>This implementation calls
     * {@code check(cert, java.util.Collections.<String>emptySet())}.
     */
    @Override
    public void check(Certificate cert) throws CertPathValidatorException {
        check(cert, java.util.Collections.<String>emptySet());
    }

    Returns a clone of this object. Calls the Object.clone() method. All subclasses which maintain state must support and override this method, if necessary. 
Returns: a copy of this PKIXCertPathChecker/**
     * Returns a clone of this object. Calls the {@code Object.clone()}
     * method.
     * All subclasses which maintain state must support and
     * override this method, if necessary.
     *
     * @return a copy of this {@code PKIXCertPathChecker}
     */
    @Override
    public Object clone() {
        try {
            return super.clone();
        } catch (CloneNotSupportedException e) {
            /* Cannot happen */
            throw new InternalError(e.toString(), e);
        }
    }
}
Author:	Yassir Elley, Sean Mullan
See Also:	PKIXParameters PKIXBuilderParameters
Since:	1.4
Params:	forward – the order that certificates are presented to the `check` method. If `true`, certificates are presented from target to most-trusted CA (forward); if `false`, from most-trusted CA to target (reverse).
Throws:	CertPathValidatorException – if this `PKIXCertPathChecker` is unable to check certificates in the specified order; it should never be thrown if the forward flag is false since reverse checking must be supported
Params:	cert – the `Certificate` to be checked unresolvedCritExts – a `Collection` of OID strings representing the current set of unresolved critical extensions
Throws:	CertPathValidatorException – if the specified certificate does not pass the check
/

java/ 15/ java.base/java/security/cert/PKIXCertPathChecker.java
