1/*
2 * Copyright (c) 1999, 2005, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.  Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26package javax.net.ssl;
27
28import java.security.cert.*;
29
30/**
31 * Instance of this interface manage which X509 certificates
32 * may be used to authenticate the remote side of a secure
33 * socket. Decisions may be based on trusted certificate
34 * authorities, certificate revocation lists, online
35 * status checking or other means.
36 *
37 * @since 1.4
38 */
39public interface X509TrustManager extends TrustManager {
40    /**
41     * Given the partial or complete certificate chain provided by the
42     * peer, build a certificate path to a trusted root and return if
43     * it can be validated and is trusted for client SSL
44     * authentication based on the authentication type.
45     * <p>
46     * The authentication type is determined by the actual certificate
47     * used. For instance, if RSAPublicKey is used, the authType
48     * should be "RSA". Checking is case-sensitive.
49     *
50     * @param chain the peer certificate chain
51     * @param authType the authentication type based on the client certificate
52     * @throws IllegalArgumentException if null or zero-length chain
53     *         is passed in for the chain parameter or if null or zero-length
54     *         string is passed in for the  authType parameter
55     * @throws CertificateException if the certificate chain is not trusted
56     *         by this TrustManager.
57     */
58    public void checkClientTrusted(X509Certificate[] chain, String authType)
59        throws CertificateException;
60
61    /**
62     * Given the partial or complete certificate chain provided by the
63     * peer, build a certificate path to a trusted root and return if
64     * it can be validated and is trusted for server SSL
65     * authentication based on the authentication type.
66     * <p>
67     * The authentication type is the key exchange algorithm portion
68     * of the cipher suites represented as a String, such as "RSA",
69     * "DHE_DSS". Note: for some exportable cipher suites, the key
70     * exchange algorithm is determined at run time during the
71     * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,
72     * the authType should be RSA_EXPORT when an ephemeral RSA key is
73     * used for the key exchange, and RSA when the key from the server
74     * certificate is used. Checking is case-sensitive.
75     *
76     * @param chain the peer certificate chain
77     * @param authType the key exchange algorithm used
78     * @throws IllegalArgumentException if null or zero-length chain
79     *         is passed in for the chain parameter or if null or zero-length
80     *         string is passed in for the  authType parameter
81     * @throws CertificateException if the certificate chain is not trusted
82     *         by this TrustManager.
83     */
84    public void checkServerTrusted(X509Certificate[] chain, String authType)
85        throws CertificateException;
86
87    /**
88     * Return an array of certificate authority certificates
89     * which are trusted for authenticating peers.
90     *
91     * @return a non-null (possibly empty) array of acceptable
92     *          CA issuer certificates.
93     */
94    public X509Certificate[] getAcceptedIssuers();
95}
96