java.security.cert
Class PKIXBuilderParameters

java.lang.Object
  |
  +--java.security.cert.PKIXParameters
        |
        +--java.security.cert.PKIXBuilderParameters
All Implemented Interfaces:
CertPathParameters, Cloneable

public class PKIXBuilderParameters
extends PKIXParameters

Parameters used as input for the PKIX CertPathBuilder algorithm.

A PKIX CertPathBuilder uses these parameters to build a CertPath which has been validated according to the PKIX certification path validation algorithm.

To instantiate a PKIXBuilderParameters object, an application must specify the most-trusted CA as defined by the PKIX certification path validation algorithm. The most-trusted CA can be specified using one of several constructors. First, an application can call either PKIXBuilderParameters(PublicKey, String, CertSelector) or PKIXBuilderParameters(PublicKey, String, boolean[], CertSelector), specifying the public key, distinguished name, and optionally the subject unique identifier of the most-trusted CA. Alternatively, if more than one CA is trusted, an application can call PKIXBuilderParameters(Set, CertSelector), specifying a Set of trusted X509Certificates. Finally, an application can call PKIXBuilderParameters(KeyStore, CertSelector), specifying a KeyStore instance containing trusted certificate entries, each of which will be considered as a most-trusted CA.

In addition, an application must specify constraints on the target certificate that the CertPathBuilder will attempt to build a path to. The constraints are specified as a CertSelector object. These constraints should provide the CertPathBuilder with enough search criteria to find the target certificate. Minimal criteria for an X509Certificate usually include the subject name and/or one or more subject alternative names. If enough criteria is not specified, the CertPathBuilder may throw a CertPathBuilderException.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Since:
1.4
See Also:
CertPathBuilder

Constructor Summary
PKIXBuilderParameters(KeyStore keystore, CertSelector targetConstraints)
          Creates an instance of PKIXBuilderParameters that populates the set of most-trusted CA certificates from the trusted certificate entries contained in the specified KeyStore.
PKIXBuilderParameters(PublicKey pubKey, String caName, boolean[] uniqueID, CertSelector targetConstraints)
          Creates an instance of PKIXBuilderParameters with the specified parameter values.
PKIXBuilderParameters(PublicKey pubKey, String caName, CertSelector targetConstraints)
          Creates an instance of PKIXBuilderParameters where the most-trusted CA is specified as a public key and distinguished name.
PKIXBuilderParameters(Set trustedCerts, CertSelector targetConstraints)
          Creates an instance of PKIXBuilderParameters with the specified Set of most-trusted CA certificate(s).
 
Method Summary
 boolean equals(Object other)
          Compares this object for equality with the specified object.
 int getMaxPathLength()
          Returns the value of the maximum number of CA certificates that may exist in a certification path.
 int hashCode()
          Returns a hash code value for this object.
 void setMaxPathLength(int maxPathLength)
          Sets the value of the maximum number of CA certificates that may exist in a certification path.
 String toString()
          Returns a formatted string describing the parameters.
 
Methods inherited from class java.security.cert.PKIXParameters
addCertPathChecker, addCertStore, clone, getCAName, getCertPathCheckers, getCertStores, getDate, getInitialPolicies, getInitialUniqueID, getPolicyQualifiersRejected, getPublicKey, getSigProvider, getTargetCertConstraints, getTrustedCerts, isAnyPolicyInhibited, isExplicitPolicyRequired, isPolicyMappingInhibited, isRevocationEnabled, setAnyPolicyInhibited, setCAPublicKeyAndName, setCAPublicKeyAndName, setCertPathCheckers, setCertStores, setDate, setExplicitPolicyRequired, setInitialPolicies, setPolicyMappingInhibited, setPolicyQualifiersRejected, setRevocationEnabled, setSigProvider, setTargetCertConstraints, setTrustedCerts
 
Methods inherited from class java.lang.Object
finalize, getClass, notify, notifyAll, wait, wait, wait
 

Constructor Detail

PKIXBuilderParameters

public PKIXBuilderParameters(Set trustedCerts,
                             CertSelector targetConstraints)
Creates an instance of PKIXBuilderParameters with the specified Set of most-trusted CA certificate(s). Each element of the set is a trusted X509Certificate.

Note that the Set is copied to protect against subsequent modifications.

Parameters:
trustedCerts - a Set of X509Certificates
targetConstraints - a CertSelector specifying the constraints on the target certificate
Throws:
ClassCastException - if any of the elements in the set are not of type java.security.cert.X509Certificate

PKIXBuilderParameters

public PKIXBuilderParameters(KeyStore keystore,
                             CertSelector targetConstraints)
                      throws KeyStoreException
Creates an instance of PKIXBuilderParameters that populates the set of most-trusted CA certificates from the trusted certificate entries contained in the specified KeyStore. Only keystore entries that contain trusted X509Certificates are considered; all other certificate types are ignored.
Parameters:
keystore - A KeyStore from which the set of most-trusted CA certificates will be populated.
targetConstraints - a CertSelector specifying the constraints on the target certificate
Throws:
KeyStoreException - if the keystore has not been initialized
NullPointerException - if the keystore is null

PKIXBuilderParameters

public PKIXBuilderParameters(PublicKey pubKey,
                             String caName,
                             CertSelector targetConstraints)
                      throws IOException
Creates an instance of PKIXBuilderParameters where the most-trusted CA is specified as a public key and distinguished name. The caName parameter should contain an X.500 distinguished name in RFC 2253 String format.
Parameters:
pubKey - the public key of the most-trusted CA
caName - the X.500 distinguished name of the most-trusted CA
targetConstraints - a CertSelector specifying the constraints on the target certificate
Throws:
IOException - if an error occurs parsing the caName

PKIXBuilderParameters

public PKIXBuilderParameters(PublicKey pubKey,
                             String caName,
                             boolean[] uniqueID,
                             CertSelector targetConstraints)
                      throws IOException
Creates an instance of PKIXBuilderParameters with the specified parameter values.
Parameters:
pubKey - the public key of the most-trusted CA
caName - the distinguished name of the most-trusted CA in RFC 2253 String format
uniqueID - the unique identifier of the most-trusted CA. The array is cloned to protect against subsequent modifications.
targetConstraints - a CertSelector specifying the constraints on the target certificate
Throws:
IOException - if an error occurs parsing the caName
Method Detail

setMaxPathLength

public void setMaxPathLength(int maxPathLength)
                      throws InvalidAlgorithmParameterException
Sets the value of the maximum number of CA certificates that may exist in a certification path. A PKIX CertPathBuilder instance must not build paths longer than the length specified.

A value of 0 implies that the path can only contain a single end-entity certificate. A value of -1 implies that the path length is unconstrained (i.e. there is no maximum). The default maximum path length, if not specified, is 5. Setting a value less than -1 will cause an exception to be thrown.

If any of the CA certificates contain the BasicConstraintsExtension, the value of the pathLenConstraint field of the extension overrides the maximum path length parameter whenever the result is a certification path of smaller length.

Parameters:
maxPathLength - the maximum number of CA certificates that may exist in a certification path
Throws:
InvalidAlgorithmParameterException - if the maximum path length parameter is set to a value less than -1

getMaxPathLength

public int getMaxPathLength()
Returns the value of the maximum number of CA certificates that may exist in a certification path.
Returns:
the maximum number of CA certificates that may exist in a certification path, or -1 if there is no limit

equals

public boolean equals(Object other)
Compares this object for equality with the specified object. If the other object is not an PKIXBuilderParameters, return false. Otherwise, return true if the parameters of the objects are equal.
Overrides:
equals in class PKIXParameters
Parameters:
other - the object to test for equality
Returns:
true if the objects are equal, false otherwise

hashCode

public int hashCode()
Returns a hash code value for this object.
Overrides:
hashCode in class PKIXParameters
Returns:
a hash code value

toString

public String toString()
Returns a formatted string describing the parameters.
Overrides:
toString in class PKIXParameters
Returns:
a formatted string describing the parameters


Submit comments/suggestions about this API.
Copyright 1998-2000 Sun Microsystems, Inc. 901 San Antonio Road,
Palo Alto, California, 94303, U.S.A. All Rights Reserved.