Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
 Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/javax/net/ssl/X509ExtendedTrustManager.java
38918 views
1
/*

2
 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25


26
package javax.net.ssl;

27


28
import java.net.Socket;

29
import javax.net.ssl.X509TrustManager;

30


31
import java.security.cert.X509Certificate;

32
import java.security.cert.CertificateException;

33


34
/**

35
 * Extensions to the <code>X509TrustManager</code> interface to support

36
 * SSL/TLS connection sensitive trust management.

37
 * <p>

38
 * To prevent man-in-the-middle attacks, hostname checks can be done

39
 * to verify that the hostname in an end-entity certificate matches the

40
 * targeted hostname.  TLS does not require such checks, but some protocols

41
 * over TLS (such as HTTPS) do.  In earlier versions of the JDK, the

42
 * certificate chain checks were done at the SSL/TLS layer, and the hostname

43
 * verification checks were done at the layer over TLS.  This class allows

44
 * for the checking to be done during a single call to this class.

45
 * <p>

46
 * RFC 2830 defines the server identification specification for the "LDAPS"

47
 * algorithm. RFC 2818 defines both the server identification and the

48
 * client identification specification for the "HTTPS" algorithm.

49
 *

50
 * @see X509TrustManager

51
 * @see HostnameVerifier

52
 *

53
 * @since 1.7

54
 */

55
public abstract class X509ExtendedTrustManager implements X509TrustManager {

56
    /**

57
     * Given the partial or complete certificate chain provided by the

58
     * peer, build and validate the certificate path based on the

59
     * authentication type and ssl parameters.

60
     * <p>

61
     * The authentication type is determined by the actual certificate

62
     * used. For instance, if RSAPublicKey is used, the authType

63
     * should be "RSA". Checking is case-sensitive.

64
     * <p>

65
     * If the <code>socket</code> parameter is an instance of

66
     * {@link javax.net.ssl.SSLSocket}, and the endpoint identification

67
     * algorithm of the <code>SSLParameters</code> is non-empty, to prevent

68
     * man-in-the-middle attacks, the address that the <code>socket</code>

69
     * connected to should be checked against the peer's identity presented

70
     * in the end-entity X509 certificate, as specified in the endpoint

71
     * identification algorithm.

72
     * <p>

73
     * If the <code>socket</code> parameter is an instance of

74
     * {@link javax.net.ssl.SSLSocket}, and the algorithm constraints of the

75
     * <code>SSLParameters</code> is non-null, for every certificate in the

76
     * certification path, fields such as subject public key, the signature

77
     * algorithm, key usage, extended key usage, etc. need to conform to the

78
     * algorithm constraints in place on this socket.

79
     *

80
     * @param chain the peer certificate chain

81
     * @param authType the key exchange algorithm used

82
     * @param socket the socket used for this connection. This parameter

83
     *        can be null, which indicates that implementations need not check

84
     *        the ssl parameters

85
     * @throws IllegalArgumentException if null or zero-length array is passed

86
     *        in for the <code>chain</code> parameter or if null or zero-length

87
     *        string is passed in for the <code>authType</code> parameter

88
     * @throws CertificateException if the certificate chain is not trusted

89
     *        by this TrustManager

90
     *

91
     * @see SSLParameters#getEndpointIdentificationAlgorithm

92
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

93
     * @see SSLParameters#getAlgorithmConstraints

94
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

95
     */

96
    public abstract void checkClientTrusted(X509Certificate[] chain,

97
            String authType, Socket socket) throws CertificateException;

98


99
    /**

100
     * Given the partial or complete certificate chain provided by the

101
     * peer, build and validate the certificate path based on the

102
     * authentication type and ssl parameters.

103
     * <p>

104
     * The authentication type is the key exchange algorithm portion

105
     * of the cipher suites represented as a String, such as "RSA",

106
     * "DHE_DSS". Note: for some exportable cipher suites, the key

107
     * exchange algorithm is determined at run time during the

108
     * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,

109
     * the authType should be RSA_EXPORT when an ephemeral RSA key is

110
     * used for the key exchange, and RSA when the key from the server

111
     * certificate is used. Checking is case-sensitive.

112
     * <p>

113
     * If the <code>socket</code> parameter is an instance of

114
     * {@link javax.net.ssl.SSLSocket}, and the endpoint identification

115
     * algorithm of the <code>SSLParameters</code> is non-empty, to prevent

116
     * man-in-the-middle attacks, the address that the <code>socket</code>

117
     * connected to should be checked against the peer's identity presented

118
     * in the end-entity X509 certificate, as specified in the endpoint

119
     * identification algorithm.

120
     * <p>

121
     * If the <code>socket</code> parameter is an instance of

122
     * {@link javax.net.ssl.SSLSocket}, and the algorithm constraints of the

123
     *  <code>SSLParameters</code> is non-null, for every certificate in the

124
     * certification path, fields such as subject public key, the signature

125
     * algorithm, key usage, extended key usage, etc. need to conform to the

126
     * algorithm constraints in place on this socket.

127
     *

128
     * @param chain the peer certificate chain

129
     * @param authType the key exchange algorithm used

130
     * @param socket the socket used for this connection. This parameter

131
     *        can be null, which indicates that implementations need not check

132
     *        the ssl parameters

133
     * @throws IllegalArgumentException if null or zero-length array is passed

134
     *        in for the <code>chain</code> parameter or if null or zero-length

135
     *        string is passed in for the <code>authType</code> parameter

136
     * @throws CertificateException if the certificate chain is not trusted

137
     *        by this TrustManager

138
     *

139
     * @see SSLParameters#getEndpointIdentificationAlgorithm

140
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

141
     * @see SSLParameters#getAlgorithmConstraints

142
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

143
     */

144
    public abstract void checkServerTrusted(X509Certificate[] chain,

145
        String authType, Socket socket) throws CertificateException;

146


147
    /**

148
     * Given the partial or complete certificate chain provided by the

149
     * peer, build and validate the certificate path based on the

150
     * authentication type and ssl parameters.

151
     * <p>

152
     * The authentication type is determined by the actual certificate

153
     * used. For instance, if RSAPublicKey is used, the authType

154
     * should be "RSA". Checking is case-sensitive.

155
     * <p>

156
     * If the <code>engine</code> parameter is available, and the endpoint

157
     * identification algorithm of the <code>SSLParameters</code> is

158
     * non-empty, to prevent man-in-the-middle attacks, the address that

159
     * the <code>engine</code> connected to should be checked against

160
     * the peer's identity presented in the end-entity X509 certificate,

161
     * as specified in the endpoint identification algorithm.

162
     * <p>

163
     * If the <code>engine</code> parameter is available, and the algorithm

164
     * constraints of the <code>SSLParameters</code> is non-null, for every

165
     * certificate in the certification path, fields such as subject public

166
     * key, the signature algorithm, key usage, extended key usage, etc.

167
     * need to conform to the algorithm constraints in place on this engine.

168
     *

169
     * @param chain the peer certificate chain

170
     * @param authType the key exchange algorithm used

171
     * @param engine the engine used for this connection. This parameter

172
     *        can be null, which indicates that implementations need not check

173
     *        the ssl parameters

174
     * @throws IllegalArgumentException if null or zero-length array is passed

175
     *        in for the <code>chain</code> parameter or if null or zero-length

176
     *        string is passed in for the <code>authType</code> parameter

177
     * @throws CertificateException if the certificate chain is not trusted

178
     *        by this TrustManager

179
     *

180
     * @see SSLParameters#getEndpointIdentificationAlgorithm

181
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

182
     * @see SSLParameters#getAlgorithmConstraints

183
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

184
     */

185
    public abstract void checkClientTrusted(X509Certificate[] chain,

186
        String authType, SSLEngine engine) throws CertificateException;

187


188
    /**

189
     * Given the partial or complete certificate chain provided by the

190
     * peer, build and validate the certificate path based on the

191
     * authentication type and ssl parameters.

192
     * <p>

193
     * The authentication type is the key exchange algorithm portion

194
     * of the cipher suites represented as a String, such as "RSA",

195
     * "DHE_DSS". Note: for some exportable cipher suites, the key

196
     * exchange algorithm is determined at run time during the

197
     * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,

198
     * the authType should be RSA_EXPORT when an ephemeral RSA key is

199
     * used for the key exchange, and RSA when the key from the server

200
     * certificate is used. Checking is case-sensitive.

201
     * <p>

202
     * If the <code>engine</code> parameter is available, and the endpoint

203
     * identification algorithm of the <code>SSLParameters</code> is

204
     * non-empty, to prevent man-in-the-middle attacks, the address that

205
     * the <code>engine</code> connected to should be checked against

206
     * the peer's identity presented in the end-entity X509 certificate,

207
     * as specified in the endpoint identification algorithm.

208
     * <p>

209
     * If the <code>engine</code> parameter is available, and the algorithm

210
     * constraints of the <code>SSLParameters</code> is non-null, for every

211
     * certificate in the certification path, fields such as subject public

212
     * key, the signature algorithm, key usage, extended key usage, etc.

213
     * need to conform to the algorithm constraints in place on this engine.

214
     *

215
     * @param chain the peer certificate chain

216
     * @param authType the key exchange algorithm used

217
     * @param engine the engine used for this connection. This parameter

218
     *        can be null, which indicates that implementations need not check

219
     *        the ssl parameters

220
     * @throws IllegalArgumentException if null or zero-length array is passed

221
     *        in for the <code>chain</code> parameter or if null or zero-length

222
     *        string is passed in for the <code>authType</code> parameter

223
     * @throws CertificateException if the certificate chain is not trusted

224
     *        by this TrustManager

225
     *

226
     * @see SSLParameters#getEndpointIdentificationAlgorithm

227
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

228
     * @see SSLParameters#getAlgorithmConstraints

229
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

230
     */

231
    public abstract void checkServerTrusted(X509Certificate[] chain,

232
        String authType, SSLEngine engine) throws CertificateException;

233


234
}

235


236