public abstract class

Validator

extends Object
java.lang.Object
   ↳ sun.security.validator.Validator
Known Direct Subclasses

Class Overview

Validator abstract base class. Concrete classes are instantiated by calling one of the getInstance() methods. All methods defined in this class must be safe for concurrent use by multiple threads.

The model is that a Validator instance is created specifying validation settings, such as trust anchors or PKIX parameters. Then one or more paths are validated using those parameters. In some cases, additional information can be provided per path validation. This is independent of the validation parameters and currently only used for TLS server validation.

Path validation is performed by calling one of the validate() methods. It specifies a suggested path to be used for validation if available, or only the end entity certificate otherwise. Optionally additional certificates can be specified that the caller believes could be helpful. Implementations are free to make use of this information or validate the path using other means. validate() also checks that the end entity certificate is suitable for the intended purpose as described below.

There are two orthogonal parameters to select the Validator implementation: type and variant. Type selects the validation algorithm. Currently supported are TYPE_SIMPLE and TYPE_PKIX. See SimpleValidator and PKIXValidator for details.

Variant controls additional extension checks. Currently supported are five variants:

  • VAR_GENERIC (no additional checks),
  • VAR_TLS_CLIENT (TLS client specific checks)
  • VAR_TLS_SERVER (TLS server specific checks), and
  • VAR_CODE_SIGNING (code signing specific checks).
  • VAR_JCE_SIGNING (JCE code signing specific checks).
  • VAR_TSA_SERVER (TSA server specific checks).
  • VAR_PLUGIN_CODE_SIGNING (Plugin/WebStart code signing specific checks).
See EndEntityChecker for more information.

Examples:

   // instantiate validator specifying type, variant, and trust anchors
   Validator validator = Validator.getInstance(Validator.TYPE_PKIX,
                                               Validator.VAR_TLS_CLIENT,
                                               trustedCerts);
   // validate one or more chains using the validator
   validator.validate(chain); // throws CertificateException if failed
 

See Also

Summary

Constants
String TYPE_PKIX Constant for a validator of type PKIX.
String TYPE_SIMPLE Constant for a validator of type Simple.
String VAR_CODE_SIGNING Constant for a Code Signing variant of a validator.
String VAR_GENERIC Constant for a Generic variant of a validator.
String VAR_JCE_SIGNING Constant for a JCE Code Signing variant of a validator.
String VAR_PLUGIN_CODE_SIGNING Constant for a Code Signing variant of a validator for use by the J2SE Plugin/WebStart code.
String VAR_TLS_CLIENT Constant for a TLS Client variant of a validator.
String VAR_TLS_SERVER Constant for a TLS Server variant of a validator.
String VAR_TSA_SERVER Constant for a TSA Server variant of a validator.
Public Methods
static Validator getInstance(String type, String variant, PKIXBuilderParameters params)
Get a new Validator instance using the provided PKIXBuilderParameters.
static Validator getInstance(String type, String variant, Collection<X509Certificate> trustedCerts)
Get a new Validator instance using the Set of X509Certificates as trust anchors.
static Validator getInstance(String type, String variant, KeyStore ks)
Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.
abstract Collection<X509Certificate> getTrustedCertificates()
Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.
void setValidationDate(Date validationDate)
This method is deprecated. No replacement.
final X509Certificate[] validate(X509Certificate[] chain, Collection<X509Certificate> otherCerts, Object parameter)
Validate the given certificate chain.
final X509Certificate[] validate(X509Certificate[] chain)
Validate the given certificate chain.
final X509Certificate[] validate(X509Certificate[] chain, Collection<X509Certificate> otherCerts)
Validate the given certificate chain.
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final String TYPE_PKIX

Constant for a validator of type PKIX.

Constant Value: "PKIX"

public static final String TYPE_SIMPLE

Constant for a validator of type Simple.

Constant Value: "Simple"

public static final String VAR_CODE_SIGNING

Constant for a Code Signing variant of a validator.

Constant Value: "code signing"

public static final String VAR_GENERIC

Constant for a Generic variant of a validator.

Constant Value: "generic"

public static final String VAR_JCE_SIGNING

Constant for a JCE Code Signing variant of a validator.

Constant Value: "jce signing"

public static final String VAR_PLUGIN_CODE_SIGNING

Constant for a Code Signing variant of a validator for use by the J2SE Plugin/WebStart code.

Constant Value: "plugin code signing"

public static final String VAR_TLS_CLIENT

Constant for a TLS Client variant of a validator.

Constant Value: "tls client"

public static final String VAR_TLS_SERVER

Constant for a TLS Server variant of a validator.

Constant Value: "tls server"

public static final String VAR_TSA_SERVER

Constant for a TSA Server variant of a validator.

Constant Value: "tsa server"

Public Methods

public static Validator getInstance (String type, String variant, PKIXBuilderParameters params)

Get a new Validator instance using the provided PKIXBuilderParameters. This method can only be used with the PKIX validator.

public static Validator getInstance (String type, String variant, Collection<X509Certificate> trustedCerts)

Get a new Validator instance using the Set of X509Certificates as trust anchors.

public static Validator getInstance (String type, String variant, KeyStore ks)

Get a new Validator instance using the trusted certificates from the specified KeyStore as trust anchors.

public abstract Collection<X509Certificate> getTrustedCertificates ()

Returns an immutable Collection of the X509Certificates this instance uses as trust anchors.

public void setValidationDate (Date validationDate)

This method is deprecated.
No replacement.

Set the date to be used for subsequent validations. NOTE that this is not a supported API, it is provided to simplify writing tests only.

public final X509Certificate[] validate (X509Certificate[] chain, Collection<X509Certificate> otherCerts, Object parameter)

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.

Parameter is an additional parameter with variant specific meaning. Currently, it is only defined for TLS_SERVER variant validators, where it must be non null and the name of the TLS key exchange algorithm being used (see JSSE X509TrustManager specification). In the future, it could be used to pass in a PKCS#7 object for code signing to check time stamps.

Returns
  • a non-empty chain that was used to validate the path. The end entity cert is at index 0, the trust anchor at index n-1.

public final X509Certificate[] validate (X509Certificate[] chain)

Validate the given certificate chain.

public final X509Certificate[] validate (X509Certificate[] chain, Collection<X509Certificate> otherCerts)

Validate the given certificate chain. If otherCerts is non-null, it is a Collection of additional X509Certificates that could be helpful for path building.