/* * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package java.security.cert; import java.security.AccessController; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivilegedAction; import java.security.Provider; import java.security.Security; import sun.security.util.Debug; import sun.security.jca.*; import sun.security.jca.GetInstance.Instance; /** * A class for building certification paths (also known as certificate chains). *
* This class uses a provider-based architecture. * To create a {@code CertPathBuilder}, call * one of the static {@code getInstance} methods, passing in the * algorithm name of the {@code CertPathBuilder} desired and optionally * the name of the provider desired. * *
Once a {@code CertPathBuilder} object has been created, certification * paths can be constructed by calling the {@link #build build} method and * passing it an algorithm-specific set of parameters. If successful, the * result (including the {@code CertPath} that was built) is returned * in an object that implements the {@code CertPathBuilderResult} * interface. * *
The {@link #getRevocationChecker} method allows an application to specify * additional algorithm-specific parameters and options used by the * {@code CertPathBuilder} when checking the revocation status of certificates. * Here is an example demonstrating how it is used with the PKIX algorithm: * *
* CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); * PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker(); * rc.setOptions(EnumSet.of(Option.PREFER_CRLS)); * params.addCertPathChecker(rc); * CertPathBuilderResult cpbr = cpb.build(params); ** *
Android provides the following {@code CertPathBuilder} algorithms: *
Algorithm | *Supported API Levels | *
---|---|
PKIX | *1+ | *
* Concurrent Access *
* The static methods of this class are guaranteed to be thread-safe. * Multiple threads may concurrently invoke the static methods defined in * this class with no ill effects. *
* However, this is not true for the non-static methods defined by this class. * Unless otherwise documented by a specific provider, threads that need to * access a single {@code CertPathBuilder} instance concurrently should * synchronize amongst themselves and provide the necessary locking. Multiple * threads each manipulating a different {@code CertPathBuilder} instance * need not synchronize. * * @see CertPath * * @since 1.4 * @author Sean Mullan * @author Yassir Elley */ public class CertPathBuilder { /* * Constant to lookup in the Security properties file to determine * the default certpathbuilder type. In the Security properties file, * the default certpathbuilder type is given as: *
* certpathbuilder.type=PKIX **/ private static final String CPB_TYPE = "certpathbuilder.type"; private final CertPathBuilderSpi builderSpi; private final Provider provider; private final String algorithm; /** * Creates a {@code CertPathBuilder} object of the given algorithm, * and encapsulates the given provider implementation (SPI object) in it. * * @param builderSpi the provider implementation * @param provider the provider * @param algorithm the algorithm name */ protected CertPathBuilder(CertPathBuilderSpi builderSpi, Provider provider, String algorithm) { this.builderSpi = builderSpi; this.provider = provider; this.algorithm = algorithm; } /** * Returns a {@code CertPathBuilder} object that implements the * specified algorithm. * *
This method traverses the list of registered security Providers, * starting with the most preferred Provider. * A new CertPathBuilder object encapsulating the * CertPathBuilderSpi implementation from the first * Provider that supports the specified algorithm is returned. * *
Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * * @param algorithm the name of the requested {@code CertPathBuilder} * algorithm. See the CertPathBuilder section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard algorithm names. * * @return a {@code CertPathBuilder} object that implements the * specified algorithm. * * @throws NoSuchAlgorithmException if no Provider supports a * CertPathBuilderSpi implementation for the * specified algorithm. * * @see java.security.Provider */ public static CertPathBuilder getInstance(String algorithm) throws NoSuchAlgorithmException { Instance instance = GetInstance.getInstance("CertPathBuilder", CertPathBuilderSpi.class, algorithm); return new CertPathBuilder((CertPathBuilderSpi)instance.impl, instance.provider, algorithm); } /** * Returns a {@code CertPathBuilder} object that implements the * specified algorithm. * *
A new CertPathBuilder object encapsulating the * CertPathBuilderSpi implementation from the specified provider * is returned. The specified provider must be registered * in the security provider list. * *
Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * * @param algorithm the name of the requested {@code CertPathBuilder} * algorithm. See the CertPathBuilder section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard algorithm names. * * @param provider the name of the provider. * * @return a {@code CertPathBuilder} object that implements the * specified algorithm. * * @throws NoSuchAlgorithmException if a CertPathBuilderSpi * implementation for the specified algorithm is not * available from the specified provider. * * @throws NoSuchProviderException if the specified provider is not * registered in the security provider list. * * @exception IllegalArgumentException if the {@code provider} is * null or empty. * * @see java.security.Provider */ public static CertPathBuilder getInstance(String algorithm, String provider) throws NoSuchAlgorithmException, NoSuchProviderException { Instance instance = GetInstance.getInstance("CertPathBuilder", CertPathBuilderSpi.class, algorithm, provider); return new CertPathBuilder((CertPathBuilderSpi)instance.impl, instance.provider, algorithm); } /** * Returns a {@code CertPathBuilder} object that implements the * specified algorithm. * *
A new CertPathBuilder object encapsulating the * CertPathBuilderSpi implementation from the specified Provider * object is returned. Note that the specified Provider object * does not have to be registered in the provider list. * * @param algorithm the name of the requested {@code CertPathBuilder} * algorithm. See the CertPathBuilder section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard algorithm names. * * @param provider the provider. * * @return a {@code CertPathBuilder} object that implements the * specified algorithm. * * @exception NoSuchAlgorithmException if a CertPathBuilderSpi * implementation for the specified algorithm is not available * from the specified Provider object. * * @exception IllegalArgumentException if the {@code provider} is * null. * * @see java.security.Provider */ public static CertPathBuilder getInstance(String algorithm, Provider provider) throws NoSuchAlgorithmException { Instance instance = GetInstance.getInstance("CertPathBuilder", CertPathBuilderSpi.class, algorithm, provider); return new CertPathBuilder((CertPathBuilderSpi)instance.impl, instance.provider, algorithm); } /** * Returns the provider of this {@code CertPathBuilder}. * * @return the provider of this {@code CertPathBuilder} */ public final Provider getProvider() { return this.provider; } /** * Returns the name of the algorithm of this {@code CertPathBuilder}. * * @return the name of the algorithm of this {@code CertPathBuilder} */ public final String getAlgorithm() { return this.algorithm; } /** * Attempts to build a certification path using the specified algorithm * parameter set. * * @param params the algorithm parameters * @return the result of the build algorithm * @throws CertPathBuilderException if the builder is unable to construct * a certification path that satisfies the specified parameters * @throws InvalidAlgorithmParameterException if the specified parameters * are inappropriate for this {@code CertPathBuilder} */ public final CertPathBuilderResult build(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException { return builderSpi.engineBuild(params); } /** * Returns the default {@code CertPathBuilder} type as specified by * the {@code certpathbuilder.type} security property, or the string * {@literal "PKIX"} if no such property exists. * *
The default {@code CertPathBuilder} type can be used by * applications that do not want to use a hard-coded type when calling one * of the {@code getInstance} methods, and want to provide a default * type in case a user does not specify its own. * *
The default {@code CertPathBuilder} type can be changed by
* setting the value of the {@code certpathbuilder.type} security property
* to the desired type.
*
* @see java.security.Security security properties
* @return the default {@code CertPathBuilder} type as specified
* by the {@code certpathbuilder.type} security property, or the string
* {@literal "PKIX"} if no such property exists.
*/
public final static String getDefaultType() {
String cpbtype =
AccessController.doPrivileged(new PrivilegedAction The primary purpose of this method is to allow callers to specify
* additional input parameters and options specific to revocation checking.
* See the class description for an example.
*
* @return a {@code CertPathChecker}
* @throws UnsupportedOperationException if the service provider does not
* support this method
* @since 1.8
*/
public final CertPathChecker getRevocationChecker() {
return builderSpi.engineGetRevocationChecker();
}
}