Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/mobile
 Path: blob/master/src/java.base/share/classes/javax/net/ssl/X509ExtendedTrustManager.java
41159 views
1
/*

2
 * Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25


26
package javax.net.ssl;

27


28
import java.net.Socket;

29
import javax.net.ssl.X509TrustManager;

30


31
import java.security.cert.X509Certificate;

32
import java.security.cert.CertificateException;

33


34
/**

35
 * Extensions to the {@code X509TrustManager} interface to support

36
 * SSL/TLS/DTLS connection sensitive trust management.

37
 * <p>

38
 * To prevent man-in-the-middle attacks, hostname checks can be done

39
 * to verify that the hostname in an end-entity certificate matches the

40
 * targeted hostname.  TLS/DTLS does not require such checks, but some

41
 * protocols over TLS/DTLS (such as HTTPS) do.  In earlier versions of the

42
 * JDK, the certificate chain checks were done at the SSL/TLS/DTLS layer,

43
 * and the hostname verification checks were done at the layer over TLS/DTLS.

44
 * This class allows for the checking to be done during a single call to

45
 * this class.

46
 * <p>

47
 * RFC 2830 defines the server identification specification for the "LDAPS"

48
 * algorithm. RFC 2818 defines both the server identification and the

49
 * client identification specification for the "HTTPS" algorithm.

50
 *

51
 * @see X509TrustManager

52
 * @see HostnameVerifier

53
 *

54
 * @since 1.7

55
 */

56
public abstract class X509ExtendedTrustManager implements X509TrustManager {

57
    /**

58
     * Constructor for subclasses to call.

59
     */

60
    public X509ExtendedTrustManager() {}

61


62
    /**

63
     * Given the partial or complete certificate chain provided by the

64
     * peer, build and validate the certificate path based on the

65
     * authentication type and ssl parameters.

66
     * <p>

67
     * The authentication type is determined by the actual certificate

68
     * used. For instance, if RSAPublicKey is used, the authType

69
     * should be "RSA". Checking is case-sensitive.

70
     * <p>

71
     * If the {@code socket} parameter is an instance of

72
     * {@link javax.net.ssl.SSLSocket}, and the endpoint identification

73
     * algorithm of the {@code SSLParameters} is non-empty, to prevent

74
     * man-in-the-middle attacks, the address that the {@code socket}

75
     * connected to should be checked against the peer's identity presented

76
     * in the end-entity X509 certificate, as specified in the endpoint

77
     * identification algorithm.

78
     * <p>

79
     * If the {@code socket} parameter is an instance of

80
     * {@link javax.net.ssl.SSLSocket}, and the algorithm constraints of the

81
     * {@code SSLParameters} is non-null, for every certificate in the

82
     * certification path, fields such as subject public key, the signature

83
     * algorithm, key usage, extended key usage, etc. need to conform to the

84
     * algorithm constraints in place on this socket.

85
     *

86
     * @param chain the peer certificate chain

87
     * @param authType the key exchange algorithm used

88
     * @param socket the socket used for this connection. This parameter

89
     *        can be null, which indicates that implementations need not check

90
     *        the ssl parameters

91
     * @throws IllegalArgumentException if null or zero-length array is passed

92
     *        in for the {@code chain} parameter or if null or zero-length

93
     *        string is passed in for the {@code authType} parameter

94
     * @throws CertificateException if the certificate chain is not trusted

95
     *        by this TrustManager

96
     *

97
     * @see SSLParameters#getEndpointIdentificationAlgorithm

98
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

99
     * @see SSLParameters#getAlgorithmConstraints

100
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

101
     */

102
    public abstract void checkClientTrusted(X509Certificate[] chain,

103
            String authType, Socket socket) throws CertificateException;

104


105
    /**

106
     * Given the partial or complete certificate chain provided by the

107
     * peer, build and validate the certificate path based on the

108
     * authentication type and ssl parameters.

109
     * <p>

110
     * The authentication type is the key exchange algorithm portion

111
     * of the cipher suites represented as a String, such as "RSA",

112
     * "DHE_DSS". Note: for some exportable cipher suites, the key

113
     * exchange algorithm is determined at run time during the

114
     * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,

115
     * the authType should be RSA_EXPORT when an ephemeral RSA key is

116
     * used for the key exchange, and RSA when the key from the server

117
     * certificate is used. Checking is case-sensitive.

118
     * <p>

119
     * If the {@code socket} parameter is an instance of

120
     * {@link javax.net.ssl.SSLSocket}, and the endpoint identification

121
     * algorithm of the {@code SSLParameters} is non-empty, to prevent

122
     * man-in-the-middle attacks, the address that the {@code socket}

123
     * connected to should be checked against the peer's identity presented

124
     * in the end-entity X509 certificate, as specified in the endpoint

125
     * identification algorithm.

126
     * <p>

127
     * If the {@code socket} parameter is an instance of

128
     * {@link javax.net.ssl.SSLSocket}, and the algorithm constraints of the

129
     *  {@code SSLParameters} is non-null, for every certificate in the

130
     * certification path, fields such as subject public key, the signature

131
     * algorithm, key usage, extended key usage, etc. need to conform to the

132
     * algorithm constraints in place on this socket.

133
     *

134
     * @param chain the peer certificate chain

135
     * @param authType the key exchange algorithm used

136
     * @param socket the socket used for this connection. This parameter

137
     *        can be null, which indicates that implementations need not check

138
     *        the ssl parameters

139
     * @throws IllegalArgumentException if null or zero-length array is passed

140
     *        in for the {@code chain} parameter or if null or zero-length

141
     *        string is passed in for the {@code authType} parameter

142
     * @throws CertificateException if the certificate chain is not trusted

143
     *        by this TrustManager

144
     *

145
     * @see SSLParameters#getEndpointIdentificationAlgorithm

146
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

147
     * @see SSLParameters#getAlgorithmConstraints

148
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

149
     */

150
    public abstract void checkServerTrusted(X509Certificate[] chain,

151
        String authType, Socket socket) throws CertificateException;

152


153
    /**

154
     * Given the partial or complete certificate chain provided by the

155
     * peer, build and validate the certificate path based on the

156
     * authentication type and ssl parameters.

157
     * <p>

158
     * The authentication type is determined by the actual certificate

159
     * used. For instance, if RSAPublicKey is used, the authType

160
     * should be "RSA". Checking is case-sensitive.

161
     * <p>

162
     * If the {@code engine} parameter is available, and the endpoint

163
     * identification algorithm of the {@code SSLParameters} is

164
     * non-empty, to prevent man-in-the-middle attacks, the address that

165
     * the {@code engine} connected to should be checked against

166
     * the peer's identity presented in the end-entity X509 certificate,

167
     * as specified in the endpoint identification algorithm.

168
     * <p>

169
     * If the {@code engine} parameter is available, and the algorithm

170
     * constraints of the {@code SSLParameters} is non-null, for every

171
     * certificate in the certification path, fields such as subject public

172
     * key, the signature algorithm, key usage, extended key usage, etc.

173
     * need to conform to the algorithm constraints in place on this engine.

174
     *

175
     * @param chain the peer certificate chain

176
     * @param authType the key exchange algorithm used

177
     * @param engine the engine used for this connection. This parameter

178
     *        can be null, which indicates that implementations need not check

179
     *        the ssl parameters

180
     * @throws IllegalArgumentException if null or zero-length array is passed

181
     *        in for the {@code chain} parameter or if null or zero-length

182
     *        string is passed in for the {@code authType} parameter

183
     * @throws CertificateException if the certificate chain is not trusted

184
     *        by this TrustManager

185
     *

186
     * @see SSLParameters#getEndpointIdentificationAlgorithm

187
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

188
     * @see SSLParameters#getAlgorithmConstraints

189
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

190
     */

191
    public abstract void checkClientTrusted(X509Certificate[] chain,

192
        String authType, SSLEngine engine) throws CertificateException;

193


194
    /**

195
     * Given the partial or complete certificate chain provided by the

196
     * peer, build and validate the certificate path based on the

197
     * authentication type and ssl parameters.

198
     * <p>

199
     * The authentication type is the key exchange algorithm portion

200
     * of the cipher suites represented as a String, such as "RSA",

201
     * "DHE_DSS". Note: for some exportable cipher suites, the key

202
     * exchange algorithm is determined at run time during the

203
     * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,

204
     * the authType should be RSA_EXPORT when an ephemeral RSA key is

205
     * used for the key exchange, and RSA when the key from the server

206
     * certificate is used. Checking is case-sensitive.

207
     * <p>

208
     * If the {@code engine} parameter is available, and the endpoint

209
     * identification algorithm of the {@code SSLParameters} is

210
     * non-empty, to prevent man-in-the-middle attacks, the address that

211
     * the {@code engine} connected to should be checked against

212
     * the peer's identity presented in the end-entity X509 certificate,

213
     * as specified in the endpoint identification algorithm.

214
     * <p>

215
     * If the {@code engine} parameter is available, and the algorithm

216
     * constraints of the {@code SSLParameters} is non-null, for every

217
     * certificate in the certification path, fields such as subject public

218
     * key, the signature algorithm, key usage, extended key usage, etc.

219
     * need to conform to the algorithm constraints in place on this engine.

220
     *

221
     * @param chain the peer certificate chain

222
     * @param authType the key exchange algorithm used

223
     * @param engine the engine used for this connection. This parameter

224
     *        can be null, which indicates that implementations need not check

225
     *        the ssl parameters

226
     * @throws IllegalArgumentException if null or zero-length array is passed

227
     *        in for the {@code chain} parameter or if null or zero-length

228
     *        string is passed in for the {@code authType} parameter

229
     * @throws CertificateException if the certificate chain is not trusted

230
     *        by this TrustManager

231
     *

232
     * @see SSLParameters#getEndpointIdentificationAlgorithm

233
     * @see SSLParameters#setEndpointIdentificationAlgorithm(String)

234
     * @see SSLParameters#getAlgorithmConstraints

235
     * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)

236
     */

237
    public abstract void checkServerTrusted(X509Certificate[] chain,

238
        String authType, SSLEngine engine) throws CertificateException;

239


240
}

241


242