codec.util
Class CertificateChainVerifier

java.lang.Object
  |
  +--codec.util.CertificateChainVerifier

public class CertificateChainVerifier

extends Object

Provides utility methods for managing certificates. For instance verification of certificate chains and similar recurring tasks. For each certificate that is verified the following constraints are checked:

• Validity period.
• Key usage bits (keyCertSign(5)).
• Basic constraints (chain length constraints).
• Issuer to subject chaining.
• Signature validity.

Future revisions of this class might also provide automatic checking of certificate revocation lists.

Version:

"$Id: CertificateChainVerifier.java,v 1.2 2000/12/06 17:47:34 vroth Exp $"

Author:

Volker Roth

Constructor Summary

CertificateChainVerifier(CertificateSource trusted)
Creates an instance.

Method Summary

boolean	isTrusted(X509Certificate cert) Checks if the given certificate is a trusted certificate.
void	verify(X509Certificate cert) Verifies the given certificate against the trusted certificates passed to the constructor of this instance.
void	verify(X509Certificate cert, CertificateSource other) Verifies the given certificate.
void	verifyChain(X509Certificate[] chain) Verifies the given certificate chain.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertificateChainVerifier

public CertificateChainVerifier(CertificateSource trusted)

Creates an instance.

Parameters:

trusted - The CertifiateSource with the trusted CA certificates.

Method Detail

verify

public void verify(X509Certificate cert,
                   CertificateSource other)
            throws GeneralSecurityException

Verifies the given certificate. The chain of certificate issuers is traced using the certificates in other as well as the trusted certificates that were passed to the constructor of this instance. The chain must end in a trusted certificate.

In case of mismatches or errors this method aborts with an exception. In the case of success it completes normally.

Parameters:

cert - The certificate that is verified.

other - A CertificateSource with supplementary certificates. These certificates are not treated as trusted certificates. Hence they do not complete a certificate chain.

Throws:

GeneralSecurityException - if something goes wrong. Reasons can be expired certificates, invalid signatures, unavailable algorithms, and more. The exact cause is signalled by the actual type of exception being thrown. For instance, a bad signature is signalled by means of a SignatureException.

verify

public void verify(X509Certificate cert)
            throws GeneralSecurityException

Verifies the given certificate against the trusted certificates passed to the constructor of this instance. If the verification succeeds then this method completes normally. Otherwise, an exception is thrown.

Throws:

GeneralSecurityException - if the verification fails. The exact cause is signalled by means of the exception sub-type.

verifyChain

public void verifyChain(X509Certificate[] chain)
                 throws GeneralSecurityException

Verifies the given certificate chain. In case of a successful verification this method completes normally. Otherwise, it throws an exception. In order for the verification to succeed, at least one certificate in it must be a trusted certificate and the chain must be valid up to the trusted certificate.

Parameters:

chain - The chain of certificates to be verified. The chain starts at index 0. Each certificate but the first must authenticate the preceeding certificate in the chain.

Throws:

GeneralSecurityException - if the verification fails.

isTrusted

public boolean isTrusted(X509Certificate cert)

Checks if the given certificate is a trusted certificate.

Parameters:

cert - The certificate to check.

Returns:

true if cert is a trusted certificate and false otherwise.