org.openeuler.sun.security.validator

类 Validator

java.lang.Object

org.openeuler.sun.security.validator.Validator

直接已知子类:

PKIXValidator, SimpleValidator

public abstract class Validator
extends Object

Validator abstract base class. Concrete classes are instantiated by calling one of the getInstance() methods. All methods defined in this class must be safe for concurrent use by multiple threads.

The model is that a Validator instance is created specifying validation settings, such as trust anchors or PKIX parameters. Then one or more paths are validated using those parameters. In some cases, additional information can be provided per path validation. This is independent of the validation parameters and currently only used for TLS server validation.

Path validation is performed by calling one of the validate() methods. It specifies a suggested path to be used for validation if available, or only the end entity certificate otherwise. Optionally additional certificates can be specified that the caller believes could be helpful. Implementations are free to make use of this information or validate the path using other means. validate() also checks that the end entity certificate is suitable for the intended purpose as described below.

There are two orthogonal parameters to select the Validator implementation: type and variant. Type selects the validation algorithm. Currently supported are TYPE_SIMPLE and TYPE_PKIX. See SimpleValidator and PKIXValidator for details.

Variant controls additional extension checks. Currently supported are five variants:

• VAR_GENERIC (no additional checks),
• VAR_TLS_CLIENT (TLS client specific checks)
• VAR_TLS_SERVER (TLS server specific checks), and
• VAR_CODE_SIGNING (code signing specific checks).
• VAR_JCE_SIGNING (JCE code signing specific checks).
• VAR_TSA_SERVER (TSA server specific checks).
• VAR_PLUGIN_CODE_SIGNING (Plugin/WebStart code signing specific checks).

See EndEntityChecker for more information.

Examples:

   // instantiate validator specifying type, variant, and trust anchors
   Validator validator = Validator.getInstance(Validator.TYPE_PKIX,
                                               Validator.VAR_TLS_CLIENT,
                                               trustedCerts);
   // validate one or more chains using the validator
   validator.validate(chain); // throws CertificateException if failed
 

作者:

Andreas Sterbenz

另请参阅:

SimpleValidator, PKIXValidator, EndEntityChecker

字段概要

字段

限定符和类型	字段和说明
(专用程序包) static X509Certificate[]	CHAIN0
(专用程序包) EndEntityChecker	endEntityChecker
private String	type
static String	TYPE_PKIX Constant for a validator of type PKIX.
static String	TYPE_SIMPLE Constant for a validator of type Simple.
(专用程序包) Date	validationDate 已过时。
static String	VAR_CODE_SIGNING Constant for a Code Signing variant of a validator.
static String	VAR_GENERIC Constant for a Generic variant of a validator.
static String	VAR_JCE_SIGNING Constant for a JCE Code Signing variant of a validator.
static String	VAR_PLUGIN_CODE_SIGNING Constant for a Code Signing variant of a validator for use by the J2SE Plugin/WebStart code.
static String	VAR_TLS_CLIENT Constant for a TLS Client variant of a validator.
static String	VAR_TLS_SERVER Constant for a TLS Server variant of a validator.
static String	VAR_TSA_SERVER Constant for a TSA Server variant of a validator.
(专用程序包) String	variant

构造器概要

构造器

构造器和说明
Validator(String type, String variant)

方法概要

限定符和类型	方法和说明
(专用程序包) abstract X509Certificate[]	engineValidate(X509Certificate[] chain, Collection<X509Certificate> otherCerts, List<byte[]> responseList, AlgorithmConstraints constraints, Object parameter)
static Validator	getInstance(String type, String variant, Collection<X509Certificate> trustedCerts) Get a new Validator instance using the Set of X509Certificates as trust anchors.
static Validator	getInstance(String type, String variant, KeyStore ks) Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.
static Validator	getInstance(String type, String variant, PKIXBuilderParameters params) Get a new Validator instance using the provided PKIXBuilderParameters.
abstract Collection<X509Certificate>	getTrustedCertificates() Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.
void	setValidationDate(Date validationDate) 已过时。
X509Certificate[]	validate(X509Certificate[] chain) Validate the given certificate chain.
X509Certificate[]	validate(X509Certificate[] chain, Collection<X509Certificate> otherCerts) Validate the given certificate chain.
X509Certificate[]	validate(X509Certificate[] chain, Collection<X509Certificate> otherCerts, List<byte[]> responseList, AlgorithmConstraints constraints, Object parameter) Validate the given certificate chain.
X509Certificate[]	validate(X509Certificate[] chain, Collection<X509Certificate> otherCerts, Object parameter) Validate the given certificate chain.

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

字段详细资料

CHAIN0

static final X509Certificate[] CHAIN0

TYPE_SIMPLE

public static final String TYPE_SIMPLE

Constant for a validator of type Simple.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

TYPE_PKIX

public static final String TYPE_PKIX

Constant for a validator of type PKIX.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

VAR_GENERIC

public static final String VAR_GENERIC

Constant for a Generic variant of a validator.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

VAR_CODE_SIGNING

public static final String VAR_CODE_SIGNING

Constant for a Code Signing variant of a validator.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

VAR_JCE_SIGNING

public static final String VAR_JCE_SIGNING

Constant for a JCE Code Signing variant of a validator.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

VAR_TLS_CLIENT

public static final String VAR_TLS_CLIENT

Constant for a TLS Client variant of a validator.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

VAR_TLS_SERVER

public static final String VAR_TLS_SERVER

Constant for a TLS Server variant of a validator.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

VAR_TSA_SERVER

public static final String VAR_TSA_SERVER

Constant for a TSA Server variant of a validator.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

VAR_PLUGIN_CODE_SIGNING

public static final String VAR_PLUGIN_CODE_SIGNING

Constant for a Code Signing variant of a validator for use by the J2SE Plugin/WebStart code.

另请参阅:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), 常量字段值

type

private final String type

endEntityChecker

final EndEntityChecker endEntityChecker

variant

final String variant

validationDate

@Deprecated
volatile Date validationDate

已过时。

另请参阅:

setValidationDate(java.util.Date)

构造器详细资料

Validator

Validator(String type,
          String variant)

方法详细资料

getInstance

public static Validator getInstance(String type,
                                    String variant,
                                    KeyStore ks)

Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.

getInstance

public static Validator getInstance(String type,
                                    String variant,
                                    Collection<X509Certificate> trustedCerts)

Get a new Validator instance using the Set of X509Certificates as trust anchors.

getInstance

public static Validator getInstance(String type,
                                    String variant,
                                    PKIXBuilderParameters params)

Get a new Validator instance using the provided PKIXBuilderParameters. This method can only be used with the PKIX validator.

validate

public final X509Certificate[] validate(X509Certificate[] chain)
                                 throws CertificateException

Validate the given certificate chain.

抛出:

CertificateException

validate

public final X509Certificate[] validate(X509Certificate[] chain,
                                        Collection<X509Certificate> otherCerts)
                                 throws CertificateException

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

抛出:

CertificateException

validate

public final X509Certificate[] validate(X509Certificate[] chain,
                                        Collection<X509Certificate> otherCerts,
                                        Object parameter)
                                 throws CertificateException

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

Parameter is an additional parameter with variant specific meaning. Currently, it is only defined for TLS_SERVER variant validators, where it must be non null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). In the future, it could be used to pass in a PKCS#7 object for code signing to check time stamps.

返回:

a non-empty chain that was used to validate the path. The end entity cert is at index 0, the trust anchor at index n-1.

抛出:

CertificateException

validate

public final X509Certificate[] validate(X509Certificate[] chain,
                                        Collection<X509Certificate> otherCerts,
                                        List<byte[]> responseList,
                                        AlgorithmConstraints constraints,
                                        Object parameter)
                                 throws CertificateException

Validate the given certificate chain.

参数:

chain - the target certificate chain

otherCerts - a Collection of additional X509Certificates that could be helpful for path building (or null)

responseList - a List of zero or more byte arrays, each one being a DER-encoded OCSP response (per RFC 6960). Entries in the List must match the order of the certificates in the chain parameter. It is possible that fewer responses may be in the list than are elements in chain and a missing response for a matching element in chain can be represented with a zero-length byte array.

constraints - algorithm constraints for certification path processing

parameter - an additional parameter with variant specific meaning. Currently, it is only defined for TLS_SERVER variant validators, where it must be non null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). In the future, it could be used to pass in a PKCS#7 object for code signing to check time stamps.

返回:

a non-empty chain that was used to validate the path. The end entity cert is at index 0, the trust anchor at index n-1.

抛出:

CertificateException

engineValidate

abstract X509Certificate[] engineValidate(X509Certificate[] chain,
                                          Collection<X509Certificate> otherCerts,
                                          List<byte[]> responseList,
                                          AlgorithmConstraints constraints,
                                          Object parameter)
                                   throws CertificateException

抛出:

CertificateException

getTrustedCertificates

public abstract Collection<X509Certificate> getTrustedCertificates()

Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.

setValidationDate

@Deprecated
public void setValidationDate(Date validationDate)

已过时。

Set the date to be used for subsequent validations. NOTE that this is not a supported API, it is provided to simplify writing tests only.