/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* This class is initialized with a list of <code>PKIXCertPathChecker</code>s
* and is used to verify the certificates in a <code>CertPath</code> by
* feeding each certificate to each <code>PKIXCertPathChecker</code>.
*
* @since 1.4
* @author Yassir Elley
*/
class PKIXMasterCertPathValidator {
/**
* Initializes the list of PKIXCertPathCheckers whose checks
* will be performed on each certificate in the certpath.
*
* @param certPathCheckers a List of checkers to use
*/
this.certPathCheckers = certPathCheckers;
}
/**
* Validates a certification path consisting exclusively of
* <code>X509Certificate</code>s using the
* <code>PKIXCertPathChecker</code>s specified
* in the constructor. It is assumed that the
* <code>PKIXCertPathChecker</code>s
* have been initialized with any input parameters they may need.
*
* @param cpOriginal the original X509 CertPath passed in by the user
* @param reversedCertList the reversed X509 CertPath (as a List)
* @exception CertPathValidatorException Exception thrown if cert
* path does not validate.
*/
throws CertPathValidatorException
{
// we actually process reversedCertList, but we keep cpOriginal because
// we need to return the original certPath when we throw an exception.
// we will also need to modify the index appropriately when we
// throw an exception.
+ "------------");
+ "algorithm.");
}
for (int i = 0; i < cpSize; i++) {
/* The basic loop algorithm is that we get the
* current certificate, we verify the current certificate using
* information from the previous certificate and from the state,
* and we modify the state for the next loop by setting the
* current certificate of this loop to be the previous certificate
* of the next loop. The state is initialized during first loop.
*/
if (unresolvedCritExts == null) {
}
}
}
}
if (i == 0)
currChecker.init(false);
try {
// OCSP has validated the cert so skip the CRL check
" validation succeeded");
}
j++;
continue; // skip
}
} catch (CertPathValidatorException cpve) {
// Throw the saved OCSP exception unless the CRL
// checker has determined that the cert is revoked
currChecker instanceof CrlRevocationChecker) {
throw cpve;
} else {
throw ocspCause;
}
}
/*
* Handle failover from OCSP to CRLs
*/
// Check if OCSP has confirmed that the cert was revoked
throw currentCause;
}
// Check if it is appropriate to failover
// no failover
throw currentCause;
}
// Save the current exception
// (in case the CRL check also fails)
// Otherwise, failover to CRLs
"preparing to failover (from OCSP to CRLs)");
}
}
}
if (!unresolvedCritExts.isEmpty()) {
throw new CertPathValidatorException("unrecognized " +
}
}
+ "algorithm)");
+ "-------------");
}
}
/*
* Examines the list of PKIX cert path checkers to determine whether
* both the current checker and the next checker are revocation checkers.
* OCSPChecker and CrlRevocationChecker are both revocation checkers.
*/
if (nextChecker instanceof CrlRevocationChecker) {
return true;
}
}
return false;
}
}