org.openeuler.sun.security.validator

类 PKIXValidator

java.lang.Object

org.openeuler.sun.security.validator.Validator

org.openeuler.sun.security.validator.PKIXValidator

public final class PKIXValidator
extends Validator

Validator implementation built on the PKIX CertPath API. This implementation will be emphasized going forward.

Note that the validate() implementation tries to use a PKIX validator if that appears possible and a PKIX builder otherwise. This increases performance and currently also leads to better exception messages in case of failures.

PKIXValidator objects are immutable once they have been created. Please DO NOT add methods that can change the state of an instance once it has been created.

作者:

Andreas Sterbenz

字段概要

字段

限定符和类型	字段和说明
private static boolean	ALLOW_NON_CA_ANCHOR System or security property that if set (or set to "true"), allows trust anchor certificates to be used if they do not have the proper CA extensions.
private int	certPathLength
private static boolean	checkTLSRevocation Flag indicating whether to enable revocation check for the PKIX trust manager.
private CertificateFactory	factory
private PKIXBuilderParameters	parameterTemplate
private boolean	plugin
private Set<X509Certificate>	trustedCerts
private Map<X500Principal,List<PublicKey>>	trustedSubjects
private static boolean	TRY_VALIDATOR

从类继承的字段 org.openeuler.sun.security.validator.Validator

CHAIN0, endEntityChecker, TYPE_PKIX, TYPE_SIMPLE, validationDate, VAR_CODE_SIGNING, VAR_GENERIC, VAR_JCE_SIGNING, VAR_PLUGIN_CODE_SIGNING, VAR_TLS_CLIENT, VAR_TLS_SERVER, VAR_TSA_SERVER, variant

构造器概要

构造器

构造器和说明
PKIXValidator(String variant, Collection<X509Certificate> trustedCerts)
PKIXValidator(String variant, PKIXBuilderParameters params)

方法概要

限定符和类型	方法和说明
private static void	addResponses(PKIXBuilderParameters pkixParams, X509Certificate[] chain, List<byte[]> responseList) For OCSP Stapling, add responses that came in during the handshake into a PKIXRevocationChecker so we can evaluate them.
private static boolean	allowNonCaAnchor()
private X509Certificate[]	doBuild(X509Certificate[] chain, Collection<X509Certificate> otherCerts, PKIXBuilderParameters params)
private X509Certificate[]	doValidate(X509Certificate[] chain, PKIXBuilderParameters params)
(专用程序包) X509Certificate[]	engineValidate(X509Certificate[] chain, Collection<X509Certificate> otherCerts, List<byte[]> responseList, AlgorithmConstraints constraints, Object parameter)
int	getCertPathLength() Returns the length of the last certification path that is validated by CertPathValidator.
PKIXBuilderParameters	getParameters() Return the PKIX parameters used by this instance.
Collection<X509Certificate>	getTrustedCertificates() Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.
private boolean	isSignatureValid(List<PublicKey> keys, X509Certificate sub)
private void	setDate(PKIXBuilderParameters params) Set the check date (for debugging).
private void	setDefaultParameters(String variant) Set J2SE global default PKIX parameters.
private static X509Certificate[]	toArray(CertPath path, TrustAnchor anchor)
private static void	verifyTrustAnchor(X509Certificate trustedCert) Verify that a trust anchor certificate is a CA certificate.

从类继承的方法 org.openeuler.sun.security.validator.Validator

getInstance, getInstance, getInstance, setValidationDate, validate, validate, validate, validate

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

字段详细资料

checkTLSRevocation

private static final boolean checkTLSRevocation

Flag indicating whether to enable revocation check for the PKIX trust manager. Typically, this will only work if the PKIX implementation supports CRL distribution points as we do not manually setup CertStores.

TRY_VALIDATOR

private static final boolean TRY_VALIDATOR

另请参阅:

常量字段值

ALLOW_NON_CA_ANCHOR

private static final boolean ALLOW_NON_CA_ANCHOR

System or security property that if set (or set to "true"), allows trust anchor certificates to be used if they do not have the proper CA extensions. Set to false if prop is not set, or set to any other value.

trustedCerts

private final Set<X509Certificate> trustedCerts

parameterTemplate

private final PKIXBuilderParameters parameterTemplate

certPathLength

private int certPathLength

trustedSubjects

private final Map<X500Principal,List<PublicKey>> trustedSubjects

factory

private final CertificateFactory factory

plugin

private final boolean plugin

构造器详细资料

PKIXValidator

PKIXValidator(String variant,
              Collection<X509Certificate> trustedCerts)

PKIXValidator

PKIXValidator(String variant,
              PKIXBuilderParameters params)

方法详细资料

allowNonCaAnchor

private static boolean allowNonCaAnchor()

getTrustedCertificates

public Collection<X509Certificate> getTrustedCertificates()

从类复制的说明: Validator

Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.

指定者:

getTrustedCertificates 在类中 Validator

getCertPathLength

public int getCertPathLength()

Returns the length of the last certification path that is validated by CertPathValidator. This is intended primarily as a callback mechanism for PKIXCertPathCheckers to determine the length of the certification path that is being validated. It is necessary since engineValidate() may modify the length of the path.

返回:

the length of the last certification path passed to CertPathValidator.validate, or -1 if it has not been invoked yet

setDefaultParameters

private void setDefaultParameters(String variant)

Set J2SE global default PKIX parameters. Currently, hardcoded to disable revocation checking. In the future, this should be configurable.

getParameters

public PKIXBuilderParameters getParameters()

Return the PKIX parameters used by this instance. An application may modify the parameters but must make sure not to perform any concurrent validations.

engineValidate

X509Certificate[] engineValidate(X509Certificate[] chain,
                                 Collection<X509Certificate> otherCerts,
                                 List<byte[]> responseList,
                                 AlgorithmConstraints constraints,
                                 Object parameter)
                          throws CertificateException

指定者:

engineValidate 在类中 Validator

抛出:

CertificateException

isSignatureValid

private boolean isSignatureValid(List<PublicKey> keys,
                                 X509Certificate sub)

toArray

private static X509Certificate[] toArray(CertPath path,
                                         TrustAnchor anchor)
                                  throws CertificateException

抛出:

CertificateException

setDate

private void setDate(PKIXBuilderParameters params)

Set the check date (for debugging).

doValidate

private X509Certificate[] doValidate(X509Certificate[] chain,
                                     PKIXBuilderParameters params)
                              throws CertificateException

抛出:

CertificateException

verifyTrustAnchor

private static void verifyTrustAnchor(X509Certificate trustedCert)
                               throws ValidatorException

Verify that a trust anchor certificate is a CA certificate.

抛出:

ValidatorException

doBuild

private X509Certificate[] doBuild(X509Certificate[] chain,
                                  Collection<X509Certificate> otherCerts,
                                  PKIXBuilderParameters params)
                           throws CertificateException

抛出:

CertificateException

addResponses

private static void addResponses(PKIXBuilderParameters pkixParams,
                                 X509Certificate[] chain,
                                 List<byte[]> responseList)

For OCSP Stapling, add responses that came in during the handshake into a PKIXRevocationChecker so we can evaluate them.

参数:

pkixParams - the pkixParameters object that will be used in path validation.

chain - the chain of certificates to verify

responseList - a List of zero or more byte arrays, each one being a DER-encoded OCSP response (per RFC 6960). Entries in the List must match the order of the certificates in the chain parameter.