PKIXMasterCertPathValidator.java revision 2362
2362N/A * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * This class is initialized with a list of <code>PKIXCertPathChecker</code>s 0N/A * and is used to verify the certificates in a <code>CertPath</code> by 0N/A * feeding each certificate to each <code>PKIXCertPathChecker</code>. 0N/A * @author Yassir Elley 0N/A * Initializes the list of PKIXCertPathCheckers whose checks 0N/A * will be performed on each certificate in the certpath. 0N/A * @param certPathCheckers a List of checkers to use 0N/A * Validates a certification path consisting exclusively of 0N/A * <code>X509Certificate</code>s using the 0N/A * <code>PKIXCertPathChecker</code>s specified 0N/A * in the constructor. It is assumed that the 0N/A * <code>PKIXCertPathChecker</code>s 0N/A * have been initialized with any input parameters they may need. 0N/A * @param cpOriginal the original X509 CertPath passed in by the user 0N/A * @param reversedCertList the reversed X509 CertPath (as a List) 0N/A * @exception CertPathValidatorException Exception thrown if cert 0N/A * path does not validate. 0N/A // we actually process reversedCertList, but we keep cpOriginal because 0N/A // we need to return the original certPath when we throw an exception. 0N/A // we will also need to modify the index appropriately when we 0N/A // throw an exception. 0N/A /* The basic loop algorithm is that we get the 0N/A * current certificate, we verify the current certificate using 0N/A * information from the previous certificate and from the state, 0N/A * and we modify the state for the next loop by setting the 0N/A * current certificate of this loop to be the previous certificate 0N/A * of the next loop. The state is initialized during first loop. 0N/A // OCSP has validated the cert so skip the CRL check 0N/A " validation succeeded");
953N/A // Throw the saved OCSP exception unless the CRL 953N/A // checker has determined that the cert is revoked 0N/A * Handle failover from OCSP to CRLs 0N/A // Check if OCSP has confirmed that the cert was revoked 0N/A // Check if it is appropriate to failover 0N/A // Save the current exception 0N/A // (in case the CRL check also fails) 0N/A // Otherwise, failover to CRLs 0N/A "preparing to failover (from OCSP to CRLs)");
0N/A * Examines the list of PKIX cert path checkers to determine whether 0N/A * both the current checker and the next checker are revocation checkers. 0N/A * OCSPChecker and CrlRevocationChecker are both revocation checkers.