1   /*
    2    * Copyright (c) 1999, 2005, Oracle and/or its affiliates. All rights reserved.
    3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
    4    *
    5    * This code is free software; you can redistribute it and/or modify it
    6    * under the terms of the GNU General Public License version 2 only, as
    7    * published by the Free Software Foundation.  Oracle designates this
    8    * particular file as subject to the "Classpath" exception as provided
    9    * by Oracle in the LICENSE file that accompanied this code.
   10    *
   11    * This code is distributed in the hope that it will be useful, but WITHOUT
   12    * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
   13    * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
   14    * version 2 for more details (a copy is included in the LICENSE file that
   15    * accompanied this code).
   16    *
   17    * You should have received a copy of the GNU General Public License version
   18    * 2 along with this work; if not, write to the Free Software Foundation,
   19    * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
   20    *
   21    * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
   22    * or visit www.oracle.com if you need additional information or have any
   23    * questions.
   24    */
   25   
   26   package javax.net.ssl;
   27   
   28   import java.security.cert;
   29   
   30   /**
   31    * Instance of this interface manage which X509 certificates
   32    * may be used to authenticate the remote side of a secure
   33    * socket. Decisions may be based on trusted certificate
   34    * authorities, certificate revocation lists, online
   35    * status checking or other means.
   36    *
   37    * @since 1.4
   38    */
   39   public interface X509TrustManager extends TrustManager {
   40       /**
   41        * Given the partial or complete certificate chain provided by the
   42        * peer, build a certificate path to a trusted root and return if
   43        * it can be validated and is trusted for client SSL
   44        * authentication based on the authentication type.
   45        * <p>
   46        * The authentication type is determined by the actual certificate
   47        * used. For instance, if RSAPublicKey is used, the authType
   48        * should be "RSA". Checking is case-sensitive.
   49        *
   50        * @param chain the peer certificate chain
   51        * @param authType the authentication type based on the client certificate
   52        * @throws IllegalArgumentException if null or zero-length chain
   53        *         is passed in for the chain parameter or if null or zero-length
   54        *         string is passed in for the  authType parameter
   55        * @throws CertificateException if the certificate chain is not trusted
   56        *         by this TrustManager.
   57        */
   58       public void checkClientTrusted(X509Certificate[] chain, String authType)
   59           throws CertificateException;
   60   
   61       /**
   62        * Given the partial or complete certificate chain provided by the
   63        * peer, build a certificate path to a trusted root and return if
   64        * it can be validated and is trusted for server SSL
   65        * authentication based on the authentication type.
   66        * <p>
   67        * The authentication type is the key exchange algorithm portion
   68        * of the cipher suites represented as a String, such as "RSA",
   69        * "DHE_DSS". Note: for some exportable cipher suites, the key
   70        * exchange algorithm is determined at run time during the
   71        * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,
   72        * the authType should be RSA_EXPORT when an ephemeral RSA key is
   73        * used for the key exchange, and RSA when the key from the server
   74        * certificate is used. Checking is case-sensitive.
   75        *
   76        * @param chain the peer certificate chain
   77        * @param authType the key exchange algorithm used
   78        * @throws IllegalArgumentException if null or zero-length chain
   79        *         is passed in for the chain parameter or if null or zero-length
   80        *         string is passed in for the  authType parameter
   81        * @throws CertificateException if the certificate chain is not trusted
   82        *         by this TrustManager.
   83        */
   84       public void checkServerTrusted(X509Certificate[] chain, String authType)
   85           throws CertificateException;
   86   
   87       /**
   88        * Return an array of certificate authority certificates
   89        * which are trusted for authenticating peers.
   90        *
   91        * @return a non-null (possibly empty) array of acceptable
   92        *          CA issuer certificates.
   93        */
   94       public X509Certificate[] getAcceptedIssuers();
   95   }