2362N/A * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * An abstract class that performs one or more checks on an 0N/A * <code>X509Certificate</code>. 0N/A * <p>A concrete implementation of the <code>PKIXCertPathChecker</code> class 0N/A * can be created to extend the PKIX certification path validation algorithm. 0N/A * For example, an implementation may check for and process a critical private 0N/A * extension of each certificate in a certification path. 0N/A * <p>Instances of <code>PKIXCertPathChecker</code> are passed as parameters 0N/A * using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers} 0N/A * or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods 0N/A * of the <code>PKIXParameters</code> and <code>PKIXBuilderParameters</code> 0N/A * class. Each of the <code>PKIXCertPathChecker</code>s {@link #check check} 0N/A * methods will be called, in turn, for each certificate processed by a PKIX 0N/A * <code>CertPathValidator</code> or <code>CertPathBuilder</code> 0N/A * <p>A <code>PKIXCertPathChecker</code> may be called multiple times on 0N/A * successive certificates in a certification path. Concrete subclasses 0N/A * are expected to maintain any internal state that may be necessary to 0N/A * check successive certificates. The {@link #init init} method is used 0N/A * to initialize the internal state of the checker so that the certificates 0N/A * of a new certification path may be checked. A stateful implementation 0N/A * <b>must</b> override the {@link #clone clone} method if necessary in 0N/A * order to allow a PKIX <code>CertPathBuilder</code> to efficiently 0N/A * backtrack and try other paths. In these situations, the 0N/A * <code>CertPathBuilder</code> is able to restore prior path validation 0N/A * states by restoring the cloned <code>PKIXCertPathChecker</code>s. 0N/A * <p>The order in which the certificates are presented to the 0N/A * <code>PKIXCertPathChecker</code> may be either in the forward direction 0N/A * (from target to most-trusted CA) or in the reverse direction (from 0N/A * most-trusted CA to target). A <code>PKIXCertPathChecker</code> implementation 0N/A * <b>must</b> support reverse checking (the ability to perform its checks when 0N/A * it is presented with certificates in the reverse direction) and <b>may</b> 0N/A * support forward checking (the ability to perform its checks when it is 0N/A * presented with certificates in the forward direction). The 0N/A * {@link #isForwardCheckingSupported isForwardCheckingSupported} method 0N/A * indicates whether forward checking is supported. 0N/A * Additional input parameters required for executing the check may be 0N/A * specified through constructors of concrete implementations of this class. 0N/A * <b>Concurrent Access</b> 0N/A * Unless otherwise specified, the methods defined in this class are not 0N/A * thread-safe. Multiple threads that need to access a single 0N/A * object concurrently should synchronize amongst themselves and 0N/A * provide the necessary locking. Multiple threads each manipulating 0N/A * separate objects need not synchronize. 0N/A * @see PKIXParameters 0N/A * @see PKIXBuilderParameters 0N/A * @author Yassir Elley 0N/A * @author Sean Mullan 0N/A * Default constructor. 0N/A * Initializes the internal state of this <code>PKIXCertPathChecker</code>. 0N/A * The <code>forward</code> flag specifies the order that 0N/A * certificates will be passed to the {@link #check check} method 0N/A * (forward or reverse). A <code>PKIXCertPathChecker</code> <b>must</b> 0N/A * support reverse checking and <b>may</b> support forward checking. 0N/A * @param forward the order that certificates are presented to 0N/A * the <code>check</code> method. If <code>true</code>, certificates 0N/A * are presented from target to most-trusted CA (forward); if 0N/A * <code>false</code>, from most-trusted CA to target (reverse). 0N/A * @throws CertPathValidatorException if this 0N/A * <code>PKIXCertPathChecker</code> is unable to check certificates in 0N/A * the specified order; it should never be thrown if the forward flag 0N/A * is false since reverse checking must be supported 0N/A * Indicates if forward checking is supported. Forward checking refers 0N/A * to the ability of the <code>PKIXCertPathChecker</code> to perform 0N/A * its checks when certificates are presented to the <code>check</code> 0N/A * method in the forward direction (from target to most-trusted CA). 0N/A * @return <code>true</code> if forward checking is supported, 0N/A * <code>false</code> otherwise 0N/A * Returns an immutable <code>Set</code> of X.509 certificate extensions 0N/A * that this <code>PKIXCertPathChecker</code> supports (i.e. recognizes, is 0N/A * able to process), or <code>null</code> if no extensions are supported. 0N/A * Each element of the set is a <code>String</code> representing the 0N/A * Object Identifier (OID) of the X.509 extension that is supported. 0N/A * The OID is represented by a set of nonnegative integers separated by 0N/A * All X.509 certificate extensions that a <code>PKIXCertPathChecker</code> 0N/A * might possibly be able to process should be included in the set. 0N/A * @return an immutable <code>Set</code> of X.509 extension OIDs (in 0N/A * <code>String</code> format) supported by this 0N/A * <code>PKIXCertPathChecker</code>, or <code>null</code> if no 0N/A * extensions are supported 0N/A * Performs the check(s) on the specified certificate using its internal 0N/A * state and removes any critical extensions that it processes from the 0N/A * specified collection of OID strings that represent the unresolved 0N/A * critical extensions. The certificates are presented in the order 0N/A * specified by the <code>init</code> method. 0N/A * @param cert the <code>Certificate</code> to be checked 0N/A * @param unresolvedCritExts a <code>Collection</code> of OID strings 0N/A * representing the current set of unresolved critical extensions 0N/A * @exception CertPathValidatorException if the specified certificate does 0N/A * not pass the check 0N/A * Returns a clone of this object. Calls the <code>Object.clone()</code> 0N/A * All subclasses which maintain state must support and 0N/A * override this method, if necessary. 0N/A * @return a copy of this <code>PKIXCertPathChecker</code>