All Packages Class Hierarchy This Package Previous Next Index
Subsystems which accept entities that are authenticated by X.509 certificate chains restrict their operations to validating basic validity of those certificates, and defer policy decisions to components which are contacted by using this callback interface.
Implementations of this interface encapsulate the authentication policies used by an application. So for example some policies might require checking of Certificate Revocation Lists (CRLs), or rejecting certificate chains based on what Certificate Authorities (CAs) are used within the certificate chain.
Initializing an authentication context usually involves providing it with an object which implements this interface. When no such object is provided, the default decision is to extend trust.
public abstract boolean isTrustedFor(X509Cert entity[], String purpose)
Logic of the code implementing this test will normally be to go to the topmost (last) element in the chain, and then check if that entity (a CA, unless the chain has a single element) is trusted for that purpose. If so, true will be returned. Else, CAs lower on the chain will then be checked similarly, and finally the certificate at the head of the chain. If none of the CAs is trusted, and even the entity's own certificate is not trusted, then the chain will be untrusted. (The goal is to use CAs that are trusted, to minimize the complexity of these tests and of the certificate management subystem.)
However, many other trust policies may be implemented. For example, there may be restrictions on the length of a certificate chain, or about cross-certification (that is, the X.500 naming hierarchy may matter). This policy check would be expected to address certificate revocation, if that is recognized in the context of this security policy. Specific signature algorithms might be required, or rejected; attributes in the certificate may preclude extending some kinds of trust; and so on.
public abstract X509Cert[] getAcceptedCAs(String purpose)
All Packages Class Hierarchy This Package Previous Next Index