public abstract class X509ExtendedTrustManager extends Object implements X509TrustManager
X509TrustManager
.
Note that this class is referenced by the Deploy workspace. Any updates must make sure that they do not cause any breakage there.
It takes the responsiblity of checking the peer identity with its principal declared in the cerificate.
The class provides an alternative to HostnameVerifer
.
If application customizes its HostnameVerifer
for
HttpsURLConnection
, the peer identity will be checked
by the customized HostnameVerifer
; otherwise, it will
be checked by the extended trust manager.
RFC2830 defines the server identification specification for "LDAP" algorithm. RFC2818 defines both the server identification and the client identification specification for "HTTPS" algorithm.
X509TrustManager
,
HostnameVerifier
Modifier | Constructor and Description |
---|---|
protected |
X509ExtendedTrustManager()
Constructor used by subclasses only.
|
Modifier and Type | Method and Description |
---|---|
abstract void |
checkClientTrusted(X509Certificate[] chain,
String authType,
String hostname,
String algorithm)
Given the partial or complete certificate chain provided by the
peer, check its identity and build a certificate path to a trusted
root, return if it can be validated and is trusted for client SSL
authentication based on the authentication type.
|
abstract void |
checkServerTrusted(X509Certificate[] chain,
String authType,
String hostname,
String algorithm)
Given the partial or complete certificate chain provided by the
peer, check its identity and build a certificate path to a trusted
root, return if it can be validated and is trusted for server SSL
authentication based on the authentication type.
|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
checkClientTrusted, checkServerTrusted, getAcceptedIssuers
protected X509ExtendedTrustManager()
public abstract void checkClientTrusted(X509Certificate[] chain, String authType, String hostname, String algorithm) throws CertificateException
The authentication type is determined by the actual certificate used. For instance, if RSAPublicKey is used, the authType should be "RSA". Checking is case-sensitive.
The algorithm parameter specifies the client identification protocol to use. If the algorithm and the peer hostname are available, the peer hostname is checked against the peer's identity presented in the X509 certificate, in order to prevent masquerade attacks.
chain
- the peer certificate chainauthType
- the authentication type based on the client certificatehostname
- the peer hostnamealgorithm
- the identification algorithmIllegalArgumentException
- if null or zero-length chain
is passed in for the chain parameter or if null or zero-length
string is passed in for the authType parameterCertificateException
- if the certificate chain is not trusted
by this TrustManager.public abstract void checkServerTrusted(X509Certificate[] chain, String authType, String hostname, String algorithm) throws CertificateException
The authentication type is the key exchange algorithm portion of the cipher suites represented as a String, such as "RSA", "DHE_DSS". Checking is case-sensitive.
The algorithm parameter specifies the server identification protocol to use. If the algorithm and the peer hostname are available, the peer hostname is checked against the peer's identity presented in the X509 certificate, in order to prevent masquerade attacks.
chain
- the peer certificate chainauthType
- the key exchange algorithm usedhostname
- the peer hostnamealgorithm
- the identification algorithmIllegalArgumentException
- if null or zero-length chain
is passed in for the chain parameter or if null or zero-length
string is passed in for the authType parameterCertificateException
- if the certificate chain is not trusted
by this TrustManager.