EndEntityChecker (jsse 1.0.6 API)

java.lang.Object
- org.openeuler.sun.security.validator.EndEntityChecker

```
class EndEntityChecker
extends Object
```
Class to check if an end entity cert is suitable for use in some context.
This class is used internally by the validator. Currently, seven variants are supported defined as VAR_XXX constants in the Validator class:
- Generic. No additional requirements, all certificates are ok.
- TLS server. Requires that a String parameter is passed to validate that specifies the name of the TLS key exchange algorithm in use. See the JSSE X509TrustManager spec for details.
- TLS client.
- Code signing.
- JCE code signing. Some early JCE code signing certs issued to providers had incorrect extensions. In this mode the checks are relaxed compared to standard code signing checks in order to allow these certificates to pass.
- Plugin code signing. WebStart and Plugin require their own variant which is equivalent to VAR_CODE_SIGNING with additional checks for compatibility/special cases. See also PKIXValidator.
- TSA Server (see RFC 3161, section 2.3).
作者:

Andreas Sterbenz

字段概要

字段
限定符和类型	字段和说明
`private static int`	`KU_KEY_AGREEMENT`
`private static int`	`KU_KEY_ENCIPHERMENT`
`private static Collection<String>`	`KU_SERVER_ENCRYPTION`
`private static Collection<String>`	`KU_SERVER_KEY_AGREEMENT`
`private static Collection<String>`	`KU_SERVER_SIGNATURE`
`private static int`	`KU_SIGNATURE`
`private static String`	`NSCT_CODE_SIGNING`
`private static String`	`NSCT_SSL_CLIENT`
`private static String`	`NSCT_SSL_SERVER`
`private static String`	`OID_EKU_ANY_USAGE`
`private static String`	`OID_EKU_CODE_SIGNING`
`private static String`	`OID_EKU_MS_SGC`
`private static String`	`OID_EKU_NS_SGC`
`private static String`	`OID_EKU_TIME_STAMPING`
`private static String`	`OID_EKU_TLS_CLIENT`
`private static String`	`OID_EKU_TLS_SERVER`
`private static String`	`OID_EXTENDED_KEY_USAGE`
`private static String`	`OID_SUBJECT_ALT_NAME`
`private String`	`type`
`private String`	`variant`

构造器概要

构造器
限定符构造器和说明

private EndEntityChecker(String type, String variant)

构造器
限定符	构造器和说明
`private`	`EndEntityChecker(String type, String variant)`

方法概要

所有方法静态方法实例方法具体方法
限定符和类型	方法和说明
`(专用程序包) void`	`check(X509Certificate[] chain, Object parameter, boolean checkUnresolvedCritExts)`
`private void`	`checkCodeSigning(X509Certificate cert, Set<String> exts)` Check whether this certificate can be used for code signing.
`private boolean`	`checkEKU(X509Certificate cert, Set<String> exts, String expectedEKU)` Utility method checking if the extended key usage extension in certificate cert allows use for expectedEKU.
`private boolean`	`checkKeyUsage(X509Certificate cert, int bit)` Utility method checking if bit 'bit' is set in this certificates key usage extension.
`private void`	`checkRemainingExtensions(Set<String> exts)` Utility method checking if there are any unresolved critical extensions.
`private void`	`checkTLSClient(X509Certificate cert, Set<String> exts)` Check whether this certificate can be used for TLS client authentication.
`private void`	`checkTLSServer(X509Certificate cert, String parameter, Set<String> exts)` Check whether this certificate can be used for TLS server authentication using the specified authentication type parameter.
`private void`	`checkTSAServer(X509Certificate cert, Set<String> exts)` Check whether this certificate can be used by a time stamping authority server (see RFC 3161, section 2.3).
`private Set<String>`	`getCriticalExtensions(X509Certificate cert)` Utility method returning the Set of critical extensions for certificate cert (never null).
`(专用程序包) static EndEntityChecker`	`getInstance(String type, String variant)`

从类继承的方法 java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

字段详细资料

OID_EXTENDED_KEY_USAGE

private static final String OID_EXTENDED_KEY_USAGE

另请参阅:: 常量字段值

OID_EKU_TLS_SERVER

private static final String OID_EKU_TLS_SERVER

另请参阅:: 常量字段值

OID_EKU_TLS_CLIENT

private static final String OID_EKU_TLS_CLIENT

另请参阅:: 常量字段值

OID_EKU_CODE_SIGNING

private static final String OID_EKU_CODE_SIGNING

另请参阅:: 常量字段值

OID_EKU_TIME_STAMPING

private static final String OID_EKU_TIME_STAMPING

另请参阅:: 常量字段值

OID_EKU_ANY_USAGE

private static final String OID_EKU_ANY_USAGE

另请参阅:: 常量字段值

OID_EKU_NS_SGC

private static final String OID_EKU_NS_SGC

另请参阅:: 常量字段值

OID_EKU_MS_SGC

private static final String OID_EKU_MS_SGC

另请参阅:: 常量字段值

OID_SUBJECT_ALT_NAME

private static final String OID_SUBJECT_ALT_NAME

另请参阅:: 常量字段值

NSCT_SSL_CLIENT

private static final String NSCT_SSL_CLIENT

另请参阅:: 常量字段值

NSCT_SSL_SERVER

private static final String NSCT_SSL_SERVER

另请参阅:: 常量字段值

NSCT_CODE_SIGNING

private static final String NSCT_CODE_SIGNING

另请参阅:: 常量字段值

KU_SIGNATURE
```
private static final int KU_SIGNATURE
```
另请参阅:

常量字段值

KU_KEY_ENCIPHERMENT
```
private static final int KU_KEY_ENCIPHERMENT
```
另请参阅:

常量字段值

KU_KEY_AGREEMENT
```
private static final int KU_KEY_AGREEMENT
```
另请参阅:

常量字段值

KU_SERVER_SIGNATURE

private static final Collection<String> KU_SERVER_SIGNATURE

KU_SERVER_ENCRYPTION

private static final Collection<String> KU_SERVER_ENCRYPTION

KU_SERVER_KEY_AGREEMENT

private static final Collection<String> KU_SERVER_KEY_AGREEMENT

variant
```
private final String variant
```

type
```
private final String type
```

构造器详细资料

EndEntityChecker

private EndEntityChecker(String type,
                         String variant)

方法详细资料

getInstance

static EndEntityChecker getInstance(String type,
                                    String variant)

check

void check(X509Certificate[] chain,
           Object parameter,
           boolean checkUnresolvedCritExts)
    throws CertificateException

抛出:: CertificateException

getCriticalExtensions
```
private Set<String> getCriticalExtensions(X509Certificate cert)
```
Utility method returning the Set of critical extensions for certificate cert (never null).

checkRemainingExtensions
```
private void checkRemainingExtensions(Set<String> exts)
                               throws CertificateException
```
Utility method checking if there are any unresolved critical extensions.

抛出:

CertificateException - if so.

checkEKU

private boolean checkEKU(X509Certificate cert,
                         Set<String> exts,
                         String expectedEKU)
                  throws CertificateException

Utility method checking if the extended key usage extension in certificate cert allows use for expectedEKU.

抛出:: CertificateException

checkKeyUsage

private boolean checkKeyUsage(X509Certificate cert,
                              int bit)
                       throws CertificateException

Utility method checking if bit 'bit' is set in this certificates key usage extension.

抛出:: CertificateException - if not

checkTLSClient

private void checkTLSClient(X509Certificate cert,
                            Set<String> exts)
                     throws CertificateException

Check whether this certificate can be used for TLS client authentication.

抛出:: CertificateException - if not.

checkTLSServer

private void checkTLSServer(X509Certificate cert,
                            String parameter,
                            Set<String> exts)
                     throws CertificateException

Check whether this certificate can be used for TLS server authentication using the specified authentication type parameter. See X509TrustManager specification for details.

抛出:: CertificateException - if not.

checkCodeSigning

private void checkCodeSigning(X509Certificate cert,
                              Set<String> exts)
                       throws CertificateException

Check whether this certificate can be used for code signing.

抛出:: CertificateException - if not.

checkTSAServer

private void checkTSAServer(X509Certificate cert,
                            Set<String> exts)
                     throws CertificateException

Check whether this certificate can be used by a time stamping authority server (see RFC 3161, section 2.3).

抛出:: CertificateException - if not.

类 EndEntityChecker