ru.CryptoPro.sspiSSL.validator

Class Validator

java.lang.Object

ru.CryptoPro.sspiSSL.validator.Validator

Direct Known Subclasses:

EmptyValidator, PKIXValidator, SimpleValidator

public abstract class Validator
extends java.lang.Object

Validator abstract base class. Concrete classes are instantiated by calling one of the getInstance() methods. All methods defined in this class must be safe for concurrent use by multiple threads.

The model is that a Validator instance is created specifying validation settings, such as trust anchors or PKIX parameters. Then one or more paths are validated using those parameters. In some cases, additional information can be provided per path validation. This is independent of the validation parameters and currently only used for TLS server validation.

Path validation is performed by calling one of the validate() methods. It specifies a suggested path to be used for validation if available, or only the end entity certificate otherwise. Optionally additional certificates can be specified that the caller believes could be helpful. Implementations are free to make use of this information or validate the path using other means. validate() also checks that the end entity certificate is suitable for the intended purpose as described below.

There are two orthogonal parameters to select the Validator implementation: type and variant. Type selects the validation algorithm. Currently supported are TYPE_SIMPLE and TYPE_PKIX. See SimpleValidator and PKIXValidator for details.

Variant controls additional extension checks. Currently supported are five variants:

• VAR_GENERIC (no additional checks),
• VAR_TLS_CLIENT (TLS client specific checks)
• VAR_TLS_SERVER (TLS server specific checks), and
• VAR_CODE_SIGNING (code signing specific checks).
• VAR_JCE_SIGNING (JCE code signing specific checks).
• VAR_TSA_SERVER (TSA server specific checks).
• VAR_PLUGIN_CODE_SIGNING (Plugin/WebStart code signing specific checks).

See EndEntityChecker for more information.

Examples:

   // instantiate validator specifying type, variant, and trust anchors
   Validator validator = Validator.getInstance(Validator.TYPE_PKIX,
                                               Validator.VAR_TLS_CLIENT,
                                               trustedCerts);
   // validate one or more chains using the validator
   validator.validate(chain); // throws CertificateException if failed
 

See Also:

SimpleValidator, PKIXValidator, EndEntityChecker

Field Summary

Fields

Modifier and Type	Field and Description
static java.security.cert.CertificateFactory	CERT_FACTORY_DEFAULT Фабрика сертификатов (default).
static java.lang.String	TYPE_LIBSSPI Constant for a validator of type LIBSSPI.
static java.lang.String	TYPE_PKIX Constant for a validator of type PKIX.
static java.lang.String	TYPE_SIMPLE Constant for a validator of type Simple.
static java.lang.String	VAR_CODE_SIGNING Constant for a Code Signing variant of a validator.
static java.lang.String	VAR_GENERIC Constant for a Generic variant of a validator.
static java.lang.String	VAR_JCE_SIGNING Constant for a JCE Code Signing variant of a validator.
static java.lang.String	VAR_PLUGIN_CODE_SIGNING Constant for a Code Signing variant of a validator for use by the J2SE Plugin/WebStart code.
static java.lang.String	VAR_TLS_CLIENT Constant for a TLS Client variant of a validator.
static java.lang.String	VAR_TLS_SERVER Constant for a TLS Server variant of a validator.
static java.lang.String	VAR_TSA_SERVER Constant for a TSA Server variant of a validator.

Method Summary

Modifier and Type	Method and Description
static Validator	getInstance(java.lang.String type, java.lang.String variant, java.util.Collection<java.security.cert.X509Certificate> trustedCerts) Get a new Validator instance using the Set of X509Certificates as trust anchors.
static Validator	getInstance(java.lang.String type, java.lang.String variant, java.security.KeyStore ks) Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.
static Validator	getInstance(java.lang.String type, java.lang.String variant, java.security.cert.PKIXBuilderParameters params) Get a new Validator instance using the provided PKIXBuilderParameters.
abstract java.util.Collection<java.security.cert.X509Certificate>	getTrustedCertificates() Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.
static boolean	isValid(java.security.cert.X509Certificate cert, java.util.Date date) Функция проверки действительности данноо сертификата.
void	setValidationDate(java.util.Date validationDate) Deprecated.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain) Validate the given certificate chain.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain, java.util.Collection<java.security.cert.X509Certificate> otherCerts) Validate the given certificate chain.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain, java.util.Collection<java.security.cert.X509Certificate> otherCerts, java.security.AlgorithmConstraints constraints, java.lang.Object parameter) Validate the given certificate chain.
java.security.cert.X509Certificate[]	validate(java.security.cert.X509Certificate[] chain, java.util.Collection<java.security.cert.X509Certificate> otherCerts, java.lang.Object parameter) Validate the given certificate chain.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TYPE_SIMPLE

public static final java.lang.String TYPE_SIMPLE

Constant for a validator of type Simple.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

TYPE_PKIX

public static final java.lang.String TYPE_PKIX

Constant for a validator of type PKIX.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

TYPE_LIBSSPI

public static final java.lang.String TYPE_LIBSSPI

Constant for a validator of type LIBSSPI.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_GENERIC

public static final java.lang.String VAR_GENERIC

Constant for a Generic variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_CODE_SIGNING

public static final java.lang.String VAR_CODE_SIGNING

Constant for a Code Signing variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_JCE_SIGNING

public static final java.lang.String VAR_JCE_SIGNING

Constant for a JCE Code Signing variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_TLS_CLIENT

public static final java.lang.String VAR_TLS_CLIENT

Constant for a TLS Client variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_TLS_SERVER

public static final java.lang.String VAR_TLS_SERVER

Constant for a TLS Server variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_TSA_SERVER

public static final java.lang.String VAR_TSA_SERVER

Constant for a TSA Server variant of a validator.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

VAR_PLUGIN_CODE_SIGNING

public static final java.lang.String VAR_PLUGIN_CODE_SIGNING

Constant for a Code Signing variant of a validator for use by the J2SE Plugin/WebStart code.

See Also:

getInstance(java.lang.String, java.lang.String, java.security.KeyStore), Constant Field Values

CERT_FACTORY_DEFAULT

public static java.security.cert.CertificateFactory CERT_FACTORY_DEFAULT

Фабрика сертификатов (default).

Method Detail

getInstance

public static Validator getInstance(java.lang.String type,
                                    java.lang.String variant,
                                    java.security.KeyStore ks)

Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.

getInstance

public static Validator getInstance(java.lang.String type,
                                    java.lang.String variant,
                                    java.util.Collection<java.security.cert.X509Certificate> trustedCerts)

Get a new Validator instance using the Set of X509Certificates as trust anchors.

getInstance

public static Validator getInstance(java.lang.String type,
                                    java.lang.String variant,
                                    java.security.cert.PKIXBuilderParameters params)

Get a new Validator instance using the provided PKIXBuilderParameters. This method can only be used with the PKIX validator.

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain.

Throws:

java.security.cert.CertificateException

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain,
                                                           java.util.Collection<java.security.cert.X509Certificate> otherCerts)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

Throws:

java.security.cert.CertificateException

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain,
                                                           java.util.Collection<java.security.cert.X509Certificate> otherCerts,
                                                           java.lang.Object parameter)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

Parameter is an additional parameter with variant specific meaning. Currently, it is only defined for TLS_SERVER variant validators, where it must be non null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). In the future, it could be used to pass in a PKCS#7 object for code signing to check time stamps.

Returns:

a non-empty chain that was used to validate the path. The end entity cert is at index 0, the trust anchor at index n-1.

Throws:

java.security.cert.CertificateException

validate

public final java.security.cert.X509Certificate[] validate(java.security.cert.X509Certificate[] chain,
                                                           java.util.Collection<java.security.cert.X509Certificate> otherCerts,
                                                           java.security.AlgorithmConstraints constraints,
                                                           java.lang.Object parameter)
                                                    throws java.security.cert.CertificateException

Validate the given certificate chain.

Parameters:

chain - the target certificate chain

otherCerts - a Collection of additional X509Certificates that could be helpful for path building (or null)

constraints - algorithm constraints for certification path processing

parameter - an additional parameter with variant specific meaning. Currently, it is only defined for TLS_SERVER variant validators, where it must be non null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). In the future, it could be used to pass in a PKCS#7 object for code signing to check time stamps.

Returns:

a non-empty chain that was used to validate the path. The end entity cert is at index 0, the trust anchor at index n-1.

Throws:

java.security.cert.CertificateException

getTrustedCertificates

public abstract java.util.Collection<java.security.cert.X509Certificate> getTrustedCertificates()

Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.

setValidationDate

@Deprecated
public void setValidationDate(java.util.Date validationDate)

Deprecated.

Set the date to be used for subsequent validations. NOTE that this is not a supported API, it is provided to simplify writing tests only.

isValid

public static boolean isValid(java.security.cert.X509Certificate cert,
                              java.util.Date date)

Функция проверки действительности данноо сертификата.

Parameters:

cert - сертификат

date - дата

Returns:

true, если сертификат действительный