1/*
2 * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.  Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26package com.sun.net.ssl.internal.ssl;
27
28import javax.net.ssl.X509TrustManager;
29
30import java.security.cert.X509Certificate;
31import java.security.cert.CertificateException;
32
33/**
34 * Instance of this class is an extension of <code>X509TrustManager</code>.
35 * <p>
36 * Note that this class is referenced by the Deploy workspace. Any updates
37 * must make sure that they do not cause any breakage there.
38 * <p>
39 * It takes the responsiblity of checking the peer identity with its
40 * principal declared in the cerificate.
41 * <p>
42 * The class provides an alternative to <code>HostnameVerifer</code>.
43 * If application customizes its <code>HostnameVerifer</code> for
44 * <code>HttpsURLConnection</code>, the peer identity will be checked
45 * by the customized <code>HostnameVerifer</code>; otherwise, it will
46 * be checked by the extended trust manager.
47 * <p>
48 * RFC2830 defines the server identification specification for "LDAP"
49 * algorithm. RFC2818 defines both the server identification and the
50 * client identification specification for "HTTPS" algorithm.
51 *
52 * @see X509TrustManager
53 * @see HostnameVerifier
54 *
55 * @since 1.6
56 * @author Xuelei Fan
57 */
58@Deprecated(since="9")
59public abstract class X509ExtendedTrustManager implements X509TrustManager {
60    /**
61     * Constructor used by subclasses only.
62     */
63    protected X509ExtendedTrustManager() {
64    }
65
66    /**
67     * Given the partial or complete certificate chain provided by the
68     * peer, check its identity and build a certificate path to a trusted
69     * root, return if it can be validated and is trusted for client SSL
70     * authentication based on the authentication type.
71     * <p>
72     * The authentication type is determined by the actual certificate
73     * used. For instance, if RSAPublicKey is used, the authType
74     * should be "RSA". Checking is case-sensitive.
75     * <p>
76     * The algorithm parameter specifies the client identification protocol
77     * to use. If the algorithm and the peer hostname are available, the
78     * peer hostname is checked against the peer's identity presented in
79     * the X509 certificate, in order to prevent masquerade attacks.
80     *
81     * @param chain the peer certificate chain
82     * @param authType the authentication type based on the client certificate
83     * @param hostname the peer hostname
84     * @param algorithm the identification algorithm
85     * @throws IllegalArgumentException if null or zero-length chain
86     *         is passed in for the chain parameter or if null or zero-length
87     *         string is passed in for the  authType parameter
88     * @throws CertificateException if the certificate chain is not trusted
89     *         by this TrustManager.
90     */
91    public abstract void checkClientTrusted(X509Certificate[] chain,
92        String authType, String hostname, String algorithm)
93        throws CertificateException;
94
95    /**
96     * Given the partial or complete certificate chain provided by the
97     * peer, check its identity and build a certificate path to a trusted
98     * root, return if it can be validated and is trusted for server SSL
99     * authentication based on the authentication type.
100     * <p>
101     * The authentication type is the key exchange algorithm portion
102     * of the cipher suites represented as a String, such as "RSA",
103     * "DHE_DSS". Checking is case-sensitive.
104     * <p>
105     * The algorithm parameter specifies the server identification protocol
106     * to use. If the algorithm and the peer hostname are available, the
107     * peer hostname is checked against the peer's identity presented in
108     * the X509 certificate, in order to prevent masquerade attacks.
109     *
110     * @param chain the peer certificate chain
111     * @param authType the key exchange algorithm used
112     * @param hostname the peer hostname
113     * @param algorithm the identification algorithm
114     * @throws IllegalArgumentException if null or zero-length chain
115     *         is passed in for the chain parameter or if null or zero-length
116     *         string is passed in for the  authType parameter
117     * @throws CertificateException if the certificate chain is not trusted
118     *         by this TrustManager.
119     */
120    public abstract void checkServerTrusted(X509Certificate[] chain,
121        String authType, String hostname, String algorithm)
122        throws CertificateException;
123}
124