1. /*
  2. * @(#)CertPathValidator.java 1.9 04/06/28
  3. *
  4. * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
  5. * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  6. */
  7. package java.security.cert;
  8. import java.security.AccessController;
  9. import java.security.InvalidAlgorithmParameterException;
  10. import java.security.NoSuchAlgorithmException;
  11. import java.security.NoSuchProviderException;
  12. import java.security.PrivilegedAction;
  13. import java.security.Provider;
  14. import java.security.Security;
  15. import sun.security.util.Debug;
  16. import sun.security.jca.*;
  17. import sun.security.jca.GetInstance.Instance;
  18. /**
  19. * A class for validating certification paths (also known as certificate
  20. * chains).
  21. * <p>
  22. * This class uses a provider-based architecture, as described in the Java
  23. * Cryptography Architecture. To create a <code>CertPathValidator</code>,
  24. * call one of the static <code>getInstance</code> methods, passing in the
  25. * algorithm name of the <code>CertPathValidator</code> desired and
  26. * optionally the name of the provider desired.
  27. * <p>
  28. * Once a <code>CertPathValidator</code> object has been created, it can
  29. * be used to validate certification paths by calling the {@link #validate
  30. * validate} method and passing it the <code>CertPath</code> to be validated
  31. * and an algorithm-specific set of parameters. If successful, the result is
  32. * returned in an object that implements the
  33. * <code>CertPathValidatorResult</code> interface.
  34. * <p>
  35. * <b>Concurrent Access</b>
  36. * <p>
  37. * The static methods of this class are guaranteed to be thread-safe.
  38. * Multiple threads may concurrently invoke the static methods defined in
  39. * this class with no ill effects.
  40. * <p>
  41. * However, this is not true for the non-static methods defined by this class.
  42. * Unless otherwise documented by a specific provider, threads that need to
  43. * access a single <code>CertPathValidator</code> instance concurrently should
  44. * synchronize amongst themselves and provide the necessary locking. Multiple
  45. * threads each manipulating a different <code>CertPathValidator</code>
  46. * instance need not synchronize.
  47. *
  48. * @see CertPath
  49. *
  50. * @version 1.9 06/28/04
  51. * @since 1.4
  52. * @author Yassir Elley
  53. */
  54. public class CertPathValidator {
  55. /*
  56. * Constant to lookup in the Security properties file to determine
  57. * the default certpathvalidator type. In the Security properties file,
  58. * the default certpathvalidator type is given as:
  59. * <pre>
  60. * certpathvalidator.type=PKIX
  61. * </pre>
  62. */
  63. private static final String CPV_TYPE = "certpathvalidator.type";
  64. private static final Debug debug = Debug.getInstance("certpath");
  65. private CertPathValidatorSpi validatorSpi;
  66. private Provider provider;
  67. private String algorithm;
  68. /**
  69. * Creates a <code>CertPathValidator</code> object of the given algorithm,
  70. * and encapsulates the given provider implementation (SPI object) in it.
  71. *
  72. * @param validatorSpi the provider implementation
  73. * @param provider the provider
  74. * @param algorithm the algorithm name
  75. */
  76. protected CertPathValidator(CertPathValidatorSpi validatorSpi,
  77. Provider provider, String algorithm)
  78. {
  79. this.validatorSpi = validatorSpi;
  80. this.provider = provider;
  81. this.algorithm = algorithm;
  82. }
  83. /**
  84. * Returns a <code>CertPathValidator</code> object that implements the
  85. * specified algorithm.
  86. *
  87. * <p> If the default provider package provides an implementation of the
  88. * specified <code>CertPathValidator</code> algorithm, an instance of
  89. * <code>CertPathValidator</code> containing that implementation is
  90. * returned. If the requested algorithm is not available in the default
  91. * package, other packages are searched.
  92. *
  93. * @param algorithm the name of the requested <code>CertPathValidator</code>
  94. * algorithm
  95. * @return a <code>CertPathValidator</code> object that implements the
  96. * specified algorithm
  97. * @exception NoSuchAlgorithmException if the requested algorithm
  98. * is not available in the default provider package or any of the other
  99. * provider packages that were searched
  100. */
  101. public static CertPathValidator getInstance(String algorithm)
  102. throws NoSuchAlgorithmException {
  103. Instance instance = GetInstance.getInstance("CertPathValidator",
  104. CertPathValidatorSpi.class, algorithm);
  105. return new CertPathValidator((CertPathValidatorSpi)instance.impl,
  106. instance.provider, algorithm);
  107. }
  108. /**
  109. * Returns a <code>CertPathValidator</code> object that implements the
  110. * specified algorithm, as supplied by the specified provider.
  111. *
  112. * @param algorithm the name of the requested <code>CertPathValidator</code>
  113. * algorithm
  114. * @param provider the name of the provider
  115. * @return a <code>CertPathValidator</code> object that implements the
  116. * specified algorithm, as supplied by the specified provider
  117. * @exception NoSuchAlgorithmException if the requested algorithm
  118. * is not available from the specified provider
  119. * @exception NoSuchProviderException if the provider has not been
  120. * configured
  121. * @exception IllegalArgumentException if the <code>provider</code> is
  122. * null
  123. */
  124. public static CertPathValidator getInstance(String algorithm,
  125. String provider) throws NoSuchAlgorithmException,
  126. NoSuchProviderException {
  127. Instance instance = GetInstance.getInstance("CertPathValidator",
  128. CertPathValidatorSpi.class, algorithm, provider);
  129. return new CertPathValidator((CertPathValidatorSpi)instance.impl,
  130. instance.provider, algorithm);
  131. }
  132. /**
  133. * Returns a <code>CertPathValidator</code> object that implements the
  134. * specified algorithm, as supplied by the specified provider.
  135. * Note: the <code>provider</code> doesn't have to be registered.
  136. *
  137. * @param algorithm the name of the requested
  138. * <code>CertPathValidator</code> algorithm
  139. * @param provider the provider
  140. * @return a <code>CertPathValidator</code> object that implements the
  141. * specified algorithm, as supplied by the specified provider
  142. * @exception NoSuchAlgorithmException if the requested algorithm
  143. * is not available from the specified provider
  144. * @exception IllegalArgumentException if the <code>provider</code> is
  145. * null
  146. */
  147. public static CertPathValidator getInstance(String algorithm,
  148. Provider provider) throws NoSuchAlgorithmException {
  149. Instance instance = GetInstance.getInstance("CertPathValidator",
  150. CertPathValidatorSpi.class, algorithm, provider);
  151. return new CertPathValidator((CertPathValidatorSpi)instance.impl,
  152. instance.provider, algorithm);
  153. }
  154. /**
  155. * Returns the <code>Provider</code> of this
  156. * <code>CertPathValidator</code>.
  157. *
  158. * @return the <code>Provider</code> of this <code>CertPathValidator</code>
  159. */
  160. public final Provider getProvider() {
  161. return this.provider;
  162. }
  163. /**
  164. * Returns the algorithm name of this <code>CertPathValidator</code>.
  165. *
  166. * @return the algorithm name of this <code>CertPathValidator</code>
  167. */
  168. public final String getAlgorithm() {
  169. return this.algorithm;
  170. }
  171. /**
  172. * Validates the specified certification path using the specified
  173. * algorithm parameter set.
  174. * <p>
  175. * The <code>CertPath</code> specified must be of a type that is
  176. * supported by the validation algorithm, otherwise an
  177. * <code>InvalidAlgorithmParameterException</code> will be thrown. For
  178. * example, a <code>CertPathValidator</code> that implements the PKIX
  179. * algorithm validates <code>CertPath</code> objects of type X.509.
  180. *
  181. * @param certPath the <code>CertPath</code> to be validated
  182. * @param params the algorithm parameters
  183. * @return the result of the validation algorithm
  184. * @exception CertPathValidatorException if the <code>CertPath</code>
  185. * does not validate
  186. * @exception InvalidAlgorithmParameterException if the specified
  187. * parameters or the type of the specified <code>CertPath</code> are
  188. * inappropriate for this <code>CertPathValidator</code>
  189. */
  190. public final CertPathValidatorResult validate(CertPath certPath,
  191. CertPathParameters params)
  192. throws CertPathValidatorException, InvalidAlgorithmParameterException
  193. {
  194. return validatorSpi.engineValidate(certPath, params);
  195. }
  196. /**
  197. * Returns the default <code>CertPathValidator</code> type as specified in
  198. * the Java security properties file, or the string "PKIX"
  199. * if no such property exists. The Java security properties file is
  200. * located in the file named <JAVA_HOME>/lib/security/java.security,
  201. * where <JAVA_HOME> refers to the directory where the JDK was
  202. * installed.
  203. *
  204. * <p>The default <code>CertPathValidator</code> type can be used by
  205. * applications that do not want to use a hard-coded type when calling one
  206. * of the <code>getInstance</code> methods, and want to provide a default
  207. * type in case a user does not specify its own.
  208. *
  209. * <p>The default <code>CertPathValidator</code> type can be changed by
  210. * setting the value of the "certpathvalidator.type" security property
  211. * (in the Java security properties file) to the desired type.
  212. *
  213. * @return the default <code>CertPathValidator</code> type as specified
  214. * in the Java security properties file, or the string "PKIX"
  215. * if no such property exists.
  216. */
  217. public final static String getDefaultType() {
  218. String cpvtype;
  219. cpvtype = (String)AccessController.doPrivileged(new PrivilegedAction() {
  220. public Object run() {
  221. return Security.getProperty(CPV_TYPE);
  222. }
  223. });
  224. if (cpvtype == null) {
  225. cpvtype = "PKIX";
  226. }
  227. return cpvtype;
  228. }
  229. }