getInstance methods, passing in the
* algorithm name of the CertPathBuilder desired and optionally
* the name of the provider desired.
- *
- * Once a CertPathBuilder object has been created, certification
+ *
+ *
Once a CertPathBuilder object has been created, certification
* paths can be constructed by calling the {@link #build build} method and
* passing it an algorithm-specific set of parameters. If successful, the
* result (including the CertPath that was built) is returned
* in an object that implements the CertPathBuilderResult
* interface.
*
- *
Every implementation of the Java platform is required to support the + *
The {@link #getRevocationChecker} method allows an application to specify + * additional algorithm-specific parameters and options used by the + * {@code CertPathBuilder} when checking the revocation status of certificates. + * Here is an example demonstrating how it is used with the PKIX algorithm: + * + *
+ * CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
+ * PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker();
+ * rc.setOptions(EnumSet.of(Option.PREFER_CRLS));
+ * params.addCertPathChecker(rc);
+ * CertPathBuilderResult cpbr = cpb.build(params);
+ *
+ *
+ * Every implementation of the Java platform is required to support the
* following standard CertPathBuilder algorithm:
*
CertPathBuilder object of the given algorithm,
@@ -290,15 +302,30 @@ public class CertPathBuilder {
* if no such property exists.
*/
public final static String getDefaultType() {
- String cpbtype;
- cpbtype = AccessController.doPrivileged(new PrivilegedActionThe primary purpose of this method is to allow callers to specify + * additional input parameters and options specific to revocation checking. + * See the class description for an example. + * + * @throws UnsupportedOperationException if the service provider does not + * support this method + * @since 1.8 + */ + public final CertPathChecker getRevocationChecker() { + return builderSpi.engineGetRevocationChecker(); } } diff --git a/jdk/src/share/classes/java/security/cert/CertPathBuilderSpi.java b/jdk/src/share/classes/java/security/cert/CertPathBuilderSpi.java index 0c10a4d40da..49a35b36e90 100644 --- a/jdk/src/share/classes/java/security/cert/CertPathBuilderSpi.java +++ b/jdk/src/share/classes/java/security/cert/CertPathBuilderSpi.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2001, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -72,4 +72,25 @@ public abstract class CertPathBuilderSpi { */ public abstract CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException; + + /** + * Returns a {@code CertPathChecker} that this implementation uses to + * check the revocation status of certificates. A PKIX implementation + * returns objects of type {@code PKIXRevocationChecker}. + * + *
The primary purpose of this method is to allow callers to specify + * additional input parameters and options specific to revocation checking. + * See the class description of {@code CertPathBuilder} for an example. + * + *
This method was added to version 1.8 of the Java Platform Standard + * Edition. In order to maintain backwards compatibility with existing + * service providers, this method cannot be abstract and by default throws + * an {@code UnsupportedOperationException}. + * + * @throws UnsupportedOperationException if this method is not supported + * @since 1.8 + */ + public CertPathChecker engineGetRevocationChecker() { + throw new UnsupportedOperationException(); + } } diff --git a/jdk/src/share/classes/java/security/cert/CertPathChecker.java b/jdk/src/share/classes/java/security/cert/CertPathChecker.java new file mode 100644 index 00000000000..c40a65b6354 --- /dev/null +++ b/jdk/src/share/classes/java/security/cert/CertPathChecker.java @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package java.security.cert; + +/** + *
Performs one or more checks on each {@code Certificate} of a + * {@code CertPath}. + * + *
A {@code CertPathChecker} implementation is typically created to extend + * a certification path validation algorithm. For example, an implementation + * may check for and process a critical private extension of each certificate + * in a certification path. + * + * @since 1.8 + */ +public interface CertPathChecker { + + /** + * Initializes the internal state of this {@code CertPathChecker}. + * + *
The {@code forward} flag specifies the order that certificates will
+ * be passed to the {@link #check check} method (forward or reverse).
+ *
+ * @param forward the order that certificates are presented to the
+ * {@code check} method. If {@code true}, certificates are
+ * presented from target to trust anchor (forward); if
+ * {@code false}, from trust anchor to target (reverse).
+ * @throws CertPathValidatorException if this {@code CertPathChecker} is
+ * unable to check certificates in the specified order
+ */
+ void init(boolean forward) throws CertPathValidatorException;
+
+ /**
+ * Indicates if forward checking is supported. Forward checking refers
+ * to the ability of the {@code CertPathChecker} to perform its checks
+ * when certificates are presented to the {@code check} method in the
+ * forward direction (from target to trust anchor).
+ *
+ * @return {@code true} if forward checking is supported, {@code false}
+ * otherwise
+ */
+ boolean isForwardCheckingSupported();
+
+ /**
+ * Performs the check(s) on the specified certificate using its internal
+ * state. The certificates are presented in the order specified by the
+ * {@code init} method.
+ *
+ * @param cert the {@code Certificate} to be checked
+ * @throws CertPathValidatorException if the specified certificate does
+ * not pass the check
+ */
+ void check(Certificate cert) throws CertPathValidatorException;
+}
diff --git a/jdk/src/share/classes/java/security/cert/CertPathValidator.java b/jdk/src/share/classes/java/security/cert/CertPathValidator.java
index ddeea9951a6..9d912acdabd 100644
--- a/jdk/src/share/classes/java/security/cert/CertPathValidator.java
+++ b/jdk/src/share/classes/java/security/cert/CertPathValidator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -46,15 +46,29 @@ import sun.security.jca.GetInstance.Instance;
* call one of the static getInstance methods, passing in the
* algorithm name of the CertPathValidator desired and
* optionally the name of the provider desired.
- *
- * Once a CertPathValidator object has been created, it can
+ *
+ *
Once a CertPathValidator object has been created, it can
* be used to validate certification paths by calling the {@link #validate
* validate} method and passing it the CertPath to be validated
* and an algorithm-specific set of parameters. If successful, the result is
* returned in an object that implements the
* CertPathValidatorResult interface.
*
- *
Every implementation of the Java platform is required to support the + *
The {@link #getRevocationChecker} method allows an application to specify + * additional algorithm-specific parameters and options used by the + * {@code CertPathValidator} when checking the revocation status of + * certificates. Here is an example demonstrating how it is used with the PKIX + * algorithm: + * + *
+ * CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
+ * PKIXRevocationChecker rc = (PKIXRevocationChecker)cpv.getRevocationChecker();
+ * rc.setOptions(EnumSet.of(Option.SOFT_FAIL));
+ * params.addCertPathChecker(rc);
+ * CertPathValidatorResult cpvr = cpv.validate(path, params);
+ *
+ *
+ * Every implementation of the Java platform is required to support the
* following standard CertPathValidator algorithm:
*
CertPathValidator object of the given algorithm,
@@ -301,15 +314,30 @@ public class CertPathValidator {
* if no such property exists.
*/
public final static String getDefaultType() {
- String cpvtype;
- cpvtype = AccessController.doPrivileged(new PrivilegedActionThe primary purpose of this method is to allow callers to specify + * additional input parameters and options specific to revocation checking. + * See the class description for an example. + * + * @throws UnsupportedOperationException if the service provider does not + * support this method + * @since 1.8 + */ + public final CertPathChecker getRevocationChecker() { + return validatorSpi.engineGetRevocationChecker(); } } diff --git a/jdk/src/share/classes/java/security/cert/CertPathValidatorSpi.java b/jdk/src/share/classes/java/security/cert/CertPathValidatorSpi.java index 6dd4143ba04..6d3bd8c9968 100644 --- a/jdk/src/share/classes/java/security/cert/CertPathValidatorSpi.java +++ b/jdk/src/share/classes/java/security/cert/CertPathValidatorSpi.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2001, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -82,4 +82,25 @@ public abstract class CertPathValidatorSpi { public abstract CertPathValidatorResult engineValidate(CertPath certPath, CertPathParameters params) throws CertPathValidatorException, InvalidAlgorithmParameterException; + + /** + * Returns a {@code CertPathChecker} that this implementation uses to + * check the revocation status of certificates. A PKIX implementation + * returns objects of type {@code PKIXRevocationChecker}. + * + *
The primary purpose of this method is to allow callers to specify + * additional input parameters and options specific to revocation checking. + * See the class description of {@code CertPathValidator} for an example. + * + *
This method was added to version 1.8 of the Java Platform Standard
+ * Edition. In order to maintain backwards compatibility with existing
+ * service providers, this method cannot be abstract and by default throws
+ * an {@code UnsupportedOperationException}.
+ *
+ * @throws UnsupportedOperationException if this method is not supported
+ * @since 1.8
+ */
+ public CertPathChecker engineGetRevocationChecker() {
+ throw new UnsupportedOperationException();
+ }
}
diff --git a/jdk/src/share/classes/java/security/cert/PKIXCertPathChecker.java b/jdk/src/share/classes/java/security/cert/PKIXCertPathChecker.java
index 656a51706fd..30b44c37f74 100644
--- a/jdk/src/share/classes/java/security/cert/PKIXCertPathChecker.java
+++ b/jdk/src/share/classes/java/security/cert/PKIXCertPathChecker.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -87,7 +87,8 @@ import java.util.Set;
* @author Yassir Elley
* @author Sean Mullan
*/
-public abstract class PKIXCertPathChecker implements Cloneable {
+public abstract class PKIXCertPathChecker
+ implements CertPathChecker, Cloneable {
/**
* Default constructor.
@@ -111,6 +112,7 @@ public abstract class PKIXCertPathChecker implements Cloneable {
* the specified order; it should never be thrown if the forward flag
* is false since reverse checking must be supported
*/
+ @Override
public abstract void init(boolean forward)
throws CertPathValidatorException;
@@ -123,6 +125,7 @@ public abstract class PKIXCertPathChecker implements Cloneable {
* @return This implementation calls
+ * {@code check(cert, java.util.Collections. A {@code PKIXRevocationChecker} checks the revocation status of
+ * certificates with the Online Certificate Status Protocol (OCSP) or
+ * Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and
+ * is a network protocol for determining the status of a certificate. A CRL
+ * is a time-stamped list identifying revoked certificates, and RFC 5280
+ * describes an algorithm for determining the revocation status of certificates
+ * using CRLs.
+ *
+ * Each {@code PKIXRevocationChecker} must be able to check the revocation
+ * status of certificates with OCSP and CRLs. By default, OCSP is the
+ * preferred mechanism for checking revocation status, with CRLs as the
+ * fallback mechanism. However, this preference can be switched to CRLs with
+ * the {@link Option.PREFER_CRLS} option.
+ *
+ * A {@code PKIXRevocationChecker} is obtained by calling the
+ * {@link CertPathValidator#getRevocationChecker getRevocationChecker} method
+ * of a PKIX {@code CertPathValidator}. Additional parameters and options
+ * specific to revocation can be set (by calling {@link #setOCSPResponder}
+ * method for instance). The {@code PKIXRevocationChecker} is added to
+ * a {@code PKIXParameters} object using the
+ * {@link PKIXParameters#addCertPathChecker addCertPathChecker}
+ * or {@link PKIXParameters#setCertPathCheckers setCertPathCheckers} method,
+ * and then the {@code PKIXParameters} is passed along with the {@code CertPath}
+ * to be validated to the {@link CertPathValidator#validate validate} method
+ * of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
+ * this manner, do not enable the default revocation checking mechanism (by
+ * calling {@link PKIXParameters#setRevocationEnabled}.
+ *
+ * Note that when a {@code PKIXRevocationChecker} is added to
+ * {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker};
+ * thus any subsequent modifications to the {@code PKIXRevocationChecker}
+ * have no effect.
+ *
+ * Any parameter that is not set (or is set to {@code null}) will be set to
+ * the default value for that parameter.
+ *
+ * Concurrent Access
+ *
+ * Unless otherwise specified, the methods defined in this class are not
+ * thread-safe. Multiple threads that need to access a single object
+ * concurrently should synchronize amongst themselves and provide the
+ * necessary locking. Multiple threads each manipulating separate objects
+ * need not synchronize.
+ *
+ * @since 1.8
+ */
+public abstract class PKIXRevocationChecker extends PKIXCertPathChecker {
+ private URI ocspResponder;
+ private X509Certificate ocspResponderCert;
+ private Listtrue if forward checking is supported,
* false otherwise
*/
+ @Override
public abstract boolean isForwardCheckingSupported();
/**
@@ -162,6 +165,17 @@ public abstract class PKIXCertPathChecker implements Cloneable {
CollectionObject.clone()
* method.
@@ -170,6 +184,7 @@ public abstract class PKIXCertPathChecker implements Cloneable {
*
* @return a copy of this PKIXCertPathChecker
*/
+ @Override
public Object clone() {
try {
return super.clone();
diff --git a/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java b/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java
new file mode 100644
index 00000000000..a97f834c372
--- /dev/null
+++ b/jdk/src/share/classes/java/security/cert/PKIXRevocationChecker.java
@@ -0,0 +1,271 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package java.security.cert;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+/**
+ * A {@code PKIXCertPathChecker} for checking the revocation status of
+ * certificates with the PKIX algorithm.
+ *
+ *