- All Implemented Interfaces:
Cloneable
,CertPathParameters
- Direct Known Subclasses:
PKIXBuilderParameters
CertPathValidator
algorithm.
A PKIX CertPathValidator
uses these parameters to
validate a CertPath
according to the PKIX certification path
validation algorithm.
To instantiate a PKIXParameters
object, an
application must specify one or more most-trusted CAs as defined by
the PKIX certification path validation algorithm. The most-trusted CAs
can be specified using one of two constructors. An application
can call PKIXParameters(Set)
,
specifying a Set
of TrustAnchor
objects, each
of which identify a most-trusted CA. Alternatively, an application can call
PKIXParameters(KeyStore)
, specifying a
KeyStore
instance containing trusted certificate entries, each
of which will be considered as a most-trusted CA.
Once a PKIXParameters
object has been created, other parameters
can be specified (by calling setInitialPolicies
or setDate
, for instance) and then the
PKIXParameters
is passed along with the CertPath
to be validated to CertPathValidator.validate
.
Any parameter that is not set (or is set to null
) will
be set to the default value for that parameter. The default value for the
date
parameter is null
, which indicates
the current time when the path is validated. The default for the
remaining parameters is the least constrained.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
- Since:
- 1.4
- See Also:
CertPathValidator
-
Constructor Summary
ConstructorDescriptionPKIXParameters(KeyStore keystore)
Creates an instance ofPKIXParameters
that populates the set of most-trusted CAs from the trusted certificate entries contained in the specifiedKeyStore
.PKIXParameters(Set<TrustAnchor> trustAnchors)
Creates an instance ofPKIXParameters
with the specifiedSet
of most-trusted CAs. -
Method Summary
Modifier and TypeMethodDescriptionvoid
addCertPathChecker(PKIXCertPathChecker checker)
Adds aPKIXCertPathChecker
to the list of certification path checkers.void
addCertStore(CertStore store)
Adds aCertStore
to the end of the list ofCertStore
s used in finding certificates and CRLs.clone()
Makes a copy of thisPKIXParameters
object.Returns theList
of certification path checkers.Returns an immutableList
ofCertStore
s that are used to find certificates and CRLs.getDate()
Returns the time for which the validity of the certification path should be determined.Returns an immutableSet
of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.boolean
Gets the PolicyQualifiersRejected flag.Returns the signature provider's name, ornull
if not set.Returns the required constraints on the target certificate.Returns an immutableSet
of the most-trusted CAs.boolean
Checks whether the any policy OID should be processed if it is included in a certificate.boolean
Checks if explicit policy is required.boolean
Checks if policy mapping is inhibited.boolean
Checks the RevocationEnabled flag.void
setAnyPolicyInhibited(boolean val)
Sets state to determine if the any policy OID should be processed if it is included in a certificate.void
setCertPathCheckers(List<PKIXCertPathChecker> checkers)
Sets aList
of additional certification path checkers.void
setCertStores(List<CertStore> stores)
Sets the list ofCertStore
s to be used in finding certificates and CRLs.void
Sets the time for which the validity of the certification path should be determined.void
setExplicitPolicyRequired(boolean val)
Sets the ExplicitPolicyRequired flag.void
setInitialPolicies(Set<String> initialPolicies)
Sets theSet
of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.void
setPolicyMappingInhibited(boolean val)
Sets the PolicyMappingInhibited flag.void
setPolicyQualifiersRejected(boolean qualifiersRejected)
Sets the PolicyQualifiersRejected flag.void
setRevocationEnabled(boolean val)
Sets the RevocationEnabled flag.void
setSigProvider(String sigProvider)
Sets the signature provider's name.void
setTargetCertConstraints(CertSelector selector)
Sets the required constraints on the target certificate.void
setTrustAnchors(Set<TrustAnchor> trustAnchors)
Sets theSet
of most-trusted CAs.toString()
Returns a formatted string describing the parameters.
-
Constructor Details
-
PKIXParameters
Creates an instance ofPKIXParameters
with the specifiedSet
of most-trusted CAs. Each element of the set is aTrustAnchor
.Note that the
Set
is copied to protect against subsequent modifications.- Parameters:
trustAnchors
- aSet
ofTrustAnchor
s- Throws:
InvalidAlgorithmParameterException
- if the specifiedSet
is empty(trustAnchors.isEmpty() == true)
NullPointerException
- if the specifiedSet
isnull
ClassCastException
- if any of the elements in theSet
are not of typejava.security.cert.TrustAnchor
-
PKIXParameters
public PKIXParameters(KeyStore keystore) throws KeyStoreException, InvalidAlgorithmParameterExceptionCreates an instance ofPKIXParameters
that populates the set of most-trusted CAs from the trusted certificate entries contained in the specifiedKeyStore
. Only keystore entries that contain trustedX509Certificates
are considered; all other certificate types are ignored.- Parameters:
keystore
- aKeyStore
from which the set of most-trusted CAs will be populated- Throws:
KeyStoreException
- if the keystore has not been initializedInvalidAlgorithmParameterException
- if the keystore does not contain at least one trusted certificate entryNullPointerException
- if the keystore isnull
-
-
Method Details
-
getTrustAnchors
Returns an immutableSet
of the most-trusted CAs.- Returns:
- an immutable
Set
ofTrustAnchor
s (nevernull
) - See Also:
setTrustAnchors(java.util.Set<java.security.cert.TrustAnchor>)
-
setTrustAnchors
public void setTrustAnchors(Set<TrustAnchor> trustAnchors) throws InvalidAlgorithmParameterExceptionSets theSet
of most-trusted CAs.Note that the
Set
is copied to protect against subsequent modifications.- Parameters:
trustAnchors
- aSet
ofTrustAnchor
s- Throws:
InvalidAlgorithmParameterException
- if the specifiedSet
is empty(trustAnchors.isEmpty() == true)
NullPointerException
- if the specifiedSet
isnull
ClassCastException
- if any of the elements in the set are not of typejava.security.cert.TrustAnchor
- See Also:
getTrustAnchors()
-
getInitialPolicies
Returns an immutableSet
of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. The default return value is an emptySet
, which is interpreted as meaning that any policy would be acceptable.- Returns:
- an immutable
Set
of initial policy OIDs inString
format, or an emptySet
(implying any policy is acceptable). Never returnsnull
. - See Also:
setInitialPolicies(java.util.Set<java.lang.String>)
-
setInitialPolicies
Sets theSet
of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. By default, any policy is acceptable (i.e. all policies), so a user that wants to allow any policy as acceptable does not need to call this method, or can call it with an emptySet
(ornull
).Note that the
Set
is copied to protect against subsequent modifications.- Parameters:
initialPolicies
- aSet
of initial policy OIDs inString
format (ornull
)- Throws:
ClassCastException
- if any of the elements in the set are not of typeString
- See Also:
getInitialPolicies()
-
setCertStores
Sets the list ofCertStore
s to be used in finding certificates and CRLs. May benull
, in which case noCertStore
s will be used. The firstCertStore
s in the list may be preferred to those that appear later.Note that the
List
is copied to protect against subsequent modifications.- Parameters:
stores
- aList
ofCertStore
s (ornull
)- Throws:
ClassCastException
- if any of the elements in the list are not of typejava.security.cert.CertStore
- See Also:
getCertStores()
-
addCertStore
Adds aCertStore
to the end of the list ofCertStore
s used in finding certificates and CRLs.- Parameters:
store
- theCertStore
to add. Ifnull
, the store is ignored (not added to list).
-
getCertStores
Returns an immutableList
ofCertStore
s that are used to find certificates and CRLs.- Returns:
- an immutable
List
ofCertStore
s (may be empty, but nevernull
) - See Also:
setCertStores(java.util.List<java.security.cert.CertStore>)
-
setRevocationEnabled
public void setRevocationEnabled(boolean val)Sets the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used).When a
PKIXParameters
object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted (by also calling theaddCertPathChecker
orsetCertPathCheckers
methods).- Parameters:
val
- the new value of the RevocationEnabled flag
-
isRevocationEnabled
public boolean isRevocationEnabled()Checks the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used). See thesetRevocationEnabled
method for more details on setting the value of this flag.- Returns:
- the current value of the RevocationEnabled flag
-
setExplicitPolicyRequired
public void setExplicitPolicyRequired(boolean val)Sets the ExplicitPolicyRequired flag. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.- Parameters:
val
-true
if explicit policy is to be required,false
otherwise
-
isExplicitPolicyRequired
public boolean isExplicitPolicyRequired()Checks if explicit policy is required. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.- Returns:
true
if explicit policy is required,false
otherwise
-
setPolicyMappingInhibited
public void setPolicyMappingInhibited(boolean val)Sets the PolicyMappingInhibited flag. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).- Parameters:
val
-true
if policy mapping is to be inhibited,false
otherwise
-
isPolicyMappingInhibited
public boolean isPolicyMappingInhibited()Checks if policy mapping is inhibited. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).- Returns:
- true if policy mapping is inhibited, false otherwise
-
setAnyPolicyInhibited
public void setAnyPolicyInhibited(boolean val)Sets state to determine if the any policy OID should be processed if it is included in a certificate. By default, the any policy OID is not inhibited (isAnyPolicyInhibited()
returnsfalse
).- Parameters:
val
-true
if the any policy OID is to be inhibited,false
otherwise
-
isAnyPolicyInhibited
public boolean isAnyPolicyInhibited()Checks whether the any policy OID should be processed if it is included in a certificate.- Returns:
true
if the any policy OID is inhibited,false
otherwise
-
setPolicyQualifiersRejected
public void setPolicyQualifiersRejected(boolean qualifiersRejected)Sets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.When a
PKIXParameters
object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.
- Parameters:
qualifiersRejected
- the new value of the PolicyQualifiersRejected flag- See Also:
getPolicyQualifiersRejected()
,PolicyQualifierInfo
-
getPolicyQualifiersRejected
public boolean getPolicyQualifiersRejected()Gets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.When a
PKIXParameters
object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.- Returns:
- the current value of the PolicyQualifiersRejected flag
- See Also:
setPolicyQualifiersRejected(boolean)
-
getDate
Returns the time for which the validity of the certification path should be determined. Ifnull
, the current time is used.Note that the
Date
returned is copied to protect against subsequent modifications.- Returns:
- the
Date
, ornull
if not set - See Also:
setDate(java.util.Date)
-
setDate
Sets the time for which the validity of the certification path should be determined. Ifnull
, the current time is used.Note that the
Date
supplied here is copied to protect against subsequent modifications.- Parameters:
date
- theDate
, ornull
for the current time- See Also:
getDate()
-
setCertPathCheckers
Sets aList
of additional certification path checkers. If the specifiedList
contains an object that is not aPKIXCertPathChecker
, it is ignored.Each
PKIXCertPathChecker
specified implements additional checks on a certificate. Typically, these are checks to process and verify private extensions contained in certificates. EachPKIXCertPathChecker
should be instantiated with any initialization parameters needed to execute the check.This method allows sophisticated applications to extend a PKIX
CertPathValidator
orCertPathBuilder
. Each of the specifiedPKIXCertPathChecker
s will be called, in turn, by a PKIXCertPathValidator
orCertPathBuilder
for each certificate processed or validated.Regardless of whether these additional
PKIXCertPathChecker
s are set, a PKIXCertPathValidator
orCertPathBuilder
must perform all of the required PKIX checks on each certificate. The one exception to this rule is if the RevocationEnabled flag is set to false (see thesetRevocationEnabled
method).Note that the
List
supplied here is copied and eachPKIXCertPathChecker
in the list is cloned to protect against subsequent modifications.- Parameters:
checkers
- aList
ofPKIXCertPathChecker
s. May benull
, in which case no additional checkers will be used.- Throws:
ClassCastException
- if any of the elements in the list are not of typejava.security.cert.PKIXCertPathChecker
- See Also:
getCertPathCheckers()
-
getCertPathCheckers
Returns theList
of certification path checkers. The returnedList
is immutable, and eachPKIXCertPathChecker
in theList
is cloned to protect against subsequent modifications.- Returns:
- an immutable
List
ofPKIXCertPathChecker
s (may be empty, but notnull
) - See Also:
setCertPathCheckers(java.util.List<java.security.cert.PKIXCertPathChecker>)
-
addCertPathChecker
Adds aPKIXCertPathChecker
to the list of certification path checkers. See thesetCertPathCheckers
method for more details.Note that the
PKIXCertPathChecker
is cloned to protect against subsequent modifications.- Parameters:
checker
- aPKIXCertPathChecker
to add to the list of checks. Ifnull
, the checker is ignored (not added to list).
-
getSigProvider
Returns the signature provider's name, ornull
if not set.- Returns:
- the signature provider's name (or
null
) - See Also:
setSigProvider(java.lang.String)
-
setSigProvider
Sets the signature provider's name. The specified provider will be preferred when creatingSignature
objects. Ifnull
or not set, the first provider found supporting the algorithm will be used.- Parameters:
sigProvider
- the signature provider's name (ornull
)- See Also:
getSigProvider()
-
getTargetCertConstraints
Returns the required constraints on the target certificate. The constraints are returned as an instance ofCertSelector
. Ifnull
, no constraints are defined.Note that the
CertSelector
returned is cloned to protect against subsequent modifications.- Returns:
- a
CertSelector
specifying the constraints on the target certificate (ornull
) - See Also:
setTargetCertConstraints(java.security.cert.CertSelector)
-
setTargetCertConstraints
Sets the required constraints on the target certificate. The constraints are specified as an instance ofCertSelector
. Ifnull
, no constraints are defined.Note that the
CertSelector
specified is cloned to protect against subsequent modifications.- Parameters:
selector
- aCertSelector
specifying the constraints on the target certificate (ornull
)- See Also:
getTargetCertConstraints()
-
clone
Makes a copy of thisPKIXParameters
object. Changes to the copy will not affect the original and vice versa.- Specified by:
clone
in interfaceCertPathParameters
- Overrides:
clone
in classObject
- Returns:
- a copy of this
PKIXParameters
object - See Also:
Cloneable
-
toString
Returns a formatted string describing the parameters.
-