java.lang.Object java.security.cert.PKIXParameters
Parameters used as input for the PKIX CertPathValidator algorithm.
A PKIX CertPathValidator uses these parameters to validate a CertPath according to the PKIX certification path validation algorithm.
To instantiate a PKIXParameters object, an application must specify one or more most-trusted CAs as defined by the PKIX certification path validation algorithm. The most-trusted CAs can be specified using one of two constructors. An application can call PKIXParameters(Set) , specifying a Set of TrustAnchor objects, each of which identify a most-trusted CA. Alternatively, an application can call PKIXParameters(KeyStore) , specifying a KeyStore instance containing trusted certificate entries, each of which will be considered as a most-trusted CA.
Once a PKIXParameters object has been created, other parameters can be specified (by calling setInitialPolicies or setDate , for instance) and then the PKIXParameters is passed along with the CertPath to be validated to CertPathValidator.validate .
Any parameter that is not set (or is set to null) will be set to the default value for that parameter. The default value for the date parameter is null, which indicates the current time when the path is validated. The default for the remaining parameters is the least constrained.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
Constructor Summary | |
---|---|
PKIXParameters
(
KeyStore
keystore) Creates an instance of PKIXParameters that populates the set of most-trusted CAs from the trusted certificate entries contained in the specified KeyStore. |
|
PKIXParameters
(
Set
<
TrustAnchor
Creates an instance of PKIXParameters with the specified Set of most-trusted CAs. |
Method Summary | |
---|---|
void |
addCertPathChecker
(
PKIXCertPathChecker
checker) Adds a PKIXCertPathChecker to the list of certification path checkers. |
void |
addCertStore
(
CertStore
store) Adds a CertStore to the end of the list of CertStores used in finding certificates and CRLs. |
Object |
clone
() Makes a copy of this PKIXParameters object. |
List < PKIXCertPathChecker |
getCertPathCheckers
() Returns the List of certification path checkers. |
List < CertStore |
getCertStores
() Returns an immutable List of CertStores that are used to find certificates and CRLs. |
Date |
getDate
() Returns the time for which the validity of the certification path should be determined. |
Set < String |
getInitialPolicies
() Returns an immutable Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. |
boolean |
getPolicyQualifiersRejected
() Gets the PolicyQualifiersRejected flag. |
String |
getSigProvider
() Returns the signature provider's name, or null if not set. |
CertSelector |
getTargetCertConstraints
() Returns the required constraints on the target certificate. |
Set < TrustAnchor |
getTrustAnchors
() Returns an immutable Set of the most-trusted CAs. |
boolean |
isAnyPolicyInhibited
() Checks whether the any policy OID should be processed if it is included in a certificate. |
boolean |
isExplicitPolicyRequired
() Checks if explicit policy is required. |
boolean |
isPolicyMappingInhibited
() Checks if policy mapping is inhibited. |
boolean |
isRevocationEnabled
() Checks the RevocationEnabled flag. |
void |
setAnyPolicyInhibited
(boolean val) Sets state to determine if the any policy OID should be processed if it is included in a certificate. |
void |
setCertPathCheckers
(
List
<
PKIXCertPathChecker
Sets a List of additional certification path checkers. |
void |
setCertStores
(
List
<
CertStore
Sets the list of CertStores to be used in finding certificates and CRLs. |
void |
setDate
(
Date
date) Sets the time for which the validity of the certification path should be determined. |
void |
setExplicitPolicyRequired
(boolean val) Sets the ExplicitPolicyRequired flag. |
void |
setInitialPolicies
(
Set
<
String
Sets the Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. |
void |
setPolicyMappingInhibited
(boolean val) Sets the PolicyMappingInhibited flag. |
void |
setPolicyQualifiersRejected
(boolean qualifiersRejected) Sets the PolicyQualifiersRejected flag. |
void |
setRevocationEnabled
(boolean val) Sets the RevocationEnabled flag. |
void |
setSigProvider
(
String
sigProvider) Sets the signature provider's name. |
void |
setTargetCertConstraints
(
CertSelector
selector) Sets the required constraints on the target certificate. |
void |
setTrustAnchors
(
Set
<
TrustAnchor
Sets the Set of most-trusted CAs. |
String |
toString
() Returns a formatted string describing the parameters. |
Methods inherited from class java.lang. Object |
---|
equals , finalize , getClass , hashCode , notify , notifyAll , wait , wait , wait |
Constructor Detail |
---|
public PKIXParameters(Set< TrustAnchortrustAnchors) throwsInvalidAlgorithmParameterException> trustAnchors) throws InvalidAlgorithmParameterException
Note that the Set is copied to protect against subsequent modifications.
public PKIXParameters(KeyStore keystore) throws KeyStoreException, InvalidAlgorithmParameterException
Method Detail |
---|
public Set< TrustAnchor> getTrustAnchors()
public void setTrustAnchors(Set< TrustAnchortrustAnchors) throwsInvalidAlgorithmParameterException> trustAnchors) throws InvalidAlgorithmParameterException
Note that the Set is copied to protect against subsequent modifications.
public Set< String> getInitialPolicies()
public void setInitialPolicies(Set< String> initialPolicies)initialPolicies)
Note that the Set is copied to protect against subsequent modifications.
public void setCertStores(List< CertStore> stores)stores)
Note that the List is copied to protect against subsequent modifications.
public void addCertStore(CertStore store)
public List< CertStore> getCertStores()
public void setRevocationEnabled(boolean val)
When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted (by also calling the addCertPathChecker or setCertPathCheckers methods).
public boolean isRevocationEnabled()
public void setExplicitPolicyRequired(boolean val)
public boolean isExplicitPolicyRequired()
public void setPolicyMappingInhibited(boolean val)
public boolean isPolicyMappingInhibited()
public void setAnyPolicyInhibited(boolean val)
public boolean isAnyPolicyInhibited()
public void setPolicyQualifiersRejected(boolean qualifiersRejected)
When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.
Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.
public boolean getPolicyQualifiersRejected()
When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.
public Date getDate()
Note that the Date returned is copied to protect against subsequent modifications.
public void setDate(Date date)
Note that the Date supplied here is copied to protect against subsequent modifications.
public void setCertPathCheckers(List< PKIXCertPathChecker> checkers)checkers)
Each PKIXCertPathChecker specified implements additional checks on a certificate. Typically, these are checks to process and verify private extensions contained in certificates. Each PKIXCertPathChecker should be instantiated with any initialization parameters needed to execute the check.
This method allows sophisticated applications to extend a PKIX CertPathValidator or CertPathBuilder. Each of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX CertPathValidator or CertPathBuilder for each certificate processed or validated.
Regardless of whether these additional PKIXCertPathCheckers are set, a PKIX CertPathValidator or CertPathBuilder must perform all of the required PKIX checks on each certificate. The one exception to this rule is if the RevocationEnabled flag is set to false (see the setRevocationEnabled method).
Note that the List supplied here is copied and each PKIXCertPathChecker in the list is cloned to protect against subsequent modifications.
public List< PKIXCertPathChecker> getCertPathCheckers()
public void addCertPathChecker(PKIXCertPathChecker checker)
Note that the PKIXCertPathChecker is cloned to protect against subsequent modifications.
public String getSigProvider()
public void setSigProvider(String sigProvider)
public CertSelector getTargetCertConstraints()
Note that the CertSelector returned is cloned to protect against subsequent modifications.
public void setTargetCertConstraints(CertSelector selector)
Note that the CertSelector specified is cloned to protect against subsequent modifications.
public Object clone()
public String toString()