|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--java.security.cert.PKIXParameters
Parameters used as input for the PKIX CertPathValidator
algorithm.
A PKIX CertPathValidator
uses these parameters to
validate a CertPath
according to the PKIX certification path
validation algorithm.
To instantiate a PKIXParameters
object, an
application must specify the most-trusted CA as defined by
the PKIX certification path validation algorithm. The most-trusted CA
can be specified using one of several constructors. First, an application
can call either PKIXParameters(PublicKey, String)
or PKIXParameters(PublicKey, String, boolean[])
, specifying the public key,
distinguished name, and optionally the subject unique identifier of the
most-trusted CA. Alternatively, if more than one CA is trusted, an
application can call PKIXParameters(Set)
,
specifying a Set
of trusted X509Certificate
s.
Finally, an application can call PKIXParameters(KeyStore)
, specifying a KeyStore
instance
containing trusted certificate entries, each of which will be considered
as a most-trusted CA.
Once a PKIXParameters
object has been created, other parameters
can be specified (by calling setInitialPolicies
or setDate
, for instance) and then the
PKIXParameters
is passed along with the CertPath
to be validated to CertPathValidator.validate
.
Any parameter that is not set (or is set to null
) will
be set to the default value for that parameter. The default value for the
date
parameter is null
, which indicates
the current time when the path is validated. The default for the
remaining parameters is the least constrained.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
CertPathValidator
Constructor Summary | |
PKIXParameters(KeyStore keystore)
Creates an instance of PKIXParameters that
populates the set of most-trusted CA certificates from the trusted
certificate entries contained in the specified KeyStore . |
|
PKIXParameters(PublicKey pubKey,
String caName)
Creates an instance of PKIXParameters where the
most-trusted CA is specified as a public key and distinguished name. |
|
PKIXParameters(PublicKey pubKey,
String caName,
boolean[] uniqueID)
Creates an instance of PKIXParameters with the
specified parameter values. |
|
PKIXParameters(Set trustedCerts)
Creates an instance of PKIXParameters with the specified
Set of most-trusted CA certificates. |
Method Summary | |
void |
addCertPathChecker(PKIXCertPathChecker checker)
Adds a PKIXCertPathChecker to the list of certification
path checkers. |
void |
addCertStore(CertStore store)
Adds a CertStore to the end of the list of
CertStore s used in finding certificates and CRLs. |
Object |
clone()
Makes a copy of this PKIXParameters object. |
boolean |
equals(Object other)
Compares this object for equality with the specified object. |
String |
getCAName()
Returns the name of the most-trusted CA in RFC 2253 String
format. |
List |
getCertPathCheckers()
Returns the List of certification path checkers. |
List |
getCertStores()
Returns an immutable List of CertStore s that
are used to find certificates and CRLs. |
Date |
getDate()
Returns the time for which the validity of the certification path should be determined. |
Set |
getInitialPolicies()
Returns an immutable Set of initial
policy identifiers (OID strings), indicating that any one of these
policies would be acceptable to the certificate user for the purposes of
certification path processing. |
boolean[] |
getInitialUniqueID()
Returns the unique identifier of the most-trusted CA, or null if not set. |
boolean |
getPolicyQualifiersRejected()
Gets the PolicyQualifiersRejected flag. |
PublicKey |
getPublicKey()
Returns the public key of the most-trusted CA. |
String |
getSigProvider()
Returns the signature provider's name, or null
if not set. |
CertSelector |
getTargetCertConstraints()
Returns the required constraints on the target certificate. |
Set |
getTrustedCerts()
Returns an immutable Set of the most-trusted
CA certificates. |
int |
hashCode()
Returns a hash code value for this object. |
boolean |
isAnyPolicyInhibited()
Checks whether the any policy OID should be processed if it is included in a certificate. |
boolean |
isExplicitPolicyRequired()
Checks if explicit policy is required. |
boolean |
isPolicyMappingInhibited()
Checks if policy mapping is inhibited. |
boolean |
isRevocationEnabled()
Checks the RevocationEnabled flag. |
void |
setAnyPolicyInhibited(boolean val)
Sets state to determine if the any policy OID should be processed if it is included in a certificate. |
void |
setCAPublicKeyAndName(PublicKey pubKey,
String caName)
Sets the public key and name of the most-trusted CA. |
void |
setCAPublicKeyAndName(PublicKey pubKey,
String caName,
boolean[] uniqueID)
Sets the public key, name and unique identifier of the CA. |
void |
setCertPathCheckers(List checkers)
Sets a List of additional certification path checkers. |
void |
setCertStores(List stores)
Sets the list of CertStore s to be used in finding
certificates and CRLs. |
void |
setDate(Date date)
Sets the time for which the validity of the certification path should be determined. |
void |
setExplicitPolicyRequired(boolean val)
Sets the ExplicitPolicyRequired flag. |
void |
setInitialPolicies(Set initialPolicies)
Sets the Set of initial policy identifiers
(OID strings), indicating that any one of these
policies would be acceptable to the certificate user for the purposes of
certification path processing. |
void |
setPolicyMappingInhibited(boolean val)
Sets the PolicyMappingInhibited flag. |
void |
setPolicyQualifiersRejected(boolean qualifiersRejected)
Sets the PolicyQualifiersRejected flag. |
void |
setRevocationEnabled(boolean val)
Sets the RevocationEnabled flag. |
void |
setSigProvider(String sigProvider)
Sets the signature provider's name. |
void |
setTargetCertConstraints(CertSelector selector)
Sets the required constraints on the target certificate. |
void |
setTrustedCerts(Set trustedCerts)
Sets the Set of most-trusted CA certificates. |
String |
toString()
Returns a formatted string describing the parameters. |
Methods inherited from class java.lang.Object |
finalize, getClass, notify, notifyAll, wait, wait, wait |
Constructor Detail |
public PKIXParameters(Set trustedCerts)
PKIXParameters
with the specified
Set
of most-trusted CA certificates. Each element of the
set is a a trusted X509Certificiate
.
Note that the Set
is copied to protect against
subsequent modifications.
trustedCerts
- a Set
of X509Certificate
sClassCastException
- if any of the elements in the set
are not of type java.security.cert.X509Certificate
public PKIXParameters(KeyStore keystore) throws KeyStoreException
PKIXParameters
that
populates the set of most-trusted CA certificates from the trusted
certificate entries contained in the specified KeyStore
.
Only keystore entries that contain trusted X509Certificates
are considered; all other certificate types are ignored.keystore
- a KeyStore
from which the set of
most-trusted CA certificates will be populatedKeyStoreException
- if the keystore has not been initialized.NullPointerException
- if the keystore is null
public PKIXParameters(PublicKey pubKey, String caName) throws IOException
PKIXParameters
where the
most-trusted CA is specified as a public key and distinguished name.pubKey
- the public key of the most-trusted CAcaName
- the X.500 distinguished name of the most-trusted CA in
RFC 2253 String
formatIOException
- if an error occurs parsing the caName
public PKIXParameters(PublicKey pubKey, String caName, boolean[] uniqueID) throws IOException
PKIXParameters
with the
specified parameter values.pubKey
- the public key of the most-trusted CAcaName
- the X.500 distinguished name of the most-trusted CA in
RFC 2253 String
formatuniqueID
- the unique identifier of the most-trusted CA
subject unique identifier. The array is cloned to protect against
subsequent modifications.IOException
- if an error occurs parsing the caName
Method Detail |
public Set getTrustedCerts()
Set
of the most-trusted
CA certificates.Set
of X509Certificate
s
or null
if not specifiedpublic void setTrustedCerts(Set trustedCerts)
Set
of most-trusted CA certificates.
Any current values for the pubKey
,
caName
or uniqueID
parameters are cleared
(set to null
).
Note that the Set
is copied to protect against
subsequent modifications.
trustedCerts
- a Set
of X509Certificate
sClassCastException
- if any of the elements in the set
are not of type java.security.cert.X509Certificate
public Set getInitialPolicies()
Set
of initial
policy identifiers (OID strings), indicating that any one of these
policies would be acceptable to the certificate user for the purposes of
certification path processing. The default return value is an empty
Set
, which is interpreted as meaning that any policy would
be acceptable.Set
of initial policy OIDs in
String
format, or an empty Set
(implying any
policy is acceptable). Never returns null
.public void setInitialPolicies(Set initialPolicies)
Set
of initial policy identifiers
(OID strings), indicating that any one of these
policies would be acceptable to the certificate user for the purposes of
certification path processing. By default, any policy is acceptable
(i.e. all policies), so a user that wants to allow any policy as
acceptable does not need to call this method, or can call it
with an empty Set
(or null
).
Note that the Set
is copied to protect against
subsequent modifications.
initialPolicies
- a Set
of initial policy
OIDs in String
format (or null
)ClassCastException
- if any of the elements in the set are
not of type String
public PublicKey getPublicKey()
null
if not setpublic void setCAPublicKeyAndName(PublicKey pubKey, String caName) throws IOException
trustedCerts
parameter is
cleared (set to null
).pubKey
- the public key of the most-trusted CAcaName
- the X.500 distinguished name of the most-trusted CA in
RFC 2253 String
formatIOException
- if an error occurs parsing the caName
public void setCAPublicKeyAndName(PublicKey pubKey, String caName, boolean[] uniqueID) throws IOException
trustedCerts
parameter is
cleared (set to null
).pubKey
- the public key of the most-trusted CAcaName
- the X.500 distinguished name of the most-trusted CA in
RFC 2253 String
formatuniqueID
- a boolean array containing the unique identifier of
the most-trusted CA. Note that the array is copied to protect against
subsequent modifications.IOException
- if an error occurs parsing the caName
public String getCAName()
String
format.null
if not setpublic void setCertStores(List stores)
CertStore
s to be used in finding
certificates and CRLs. May be null
, in which case
no CertStore
s will be used. The first
CertStore
s in the list may be preferred to those that
appear later.
Note that the List
is copied to protect against
subsequent modifications.
stores
- a List
of CertStore
s (or
null
)ClassCastException
- if any of the elements in the list are
not of type java.security.cert.CertStore
public void addCertStore(CertStore store)
CertStore
to the end of the list of
CertStore
s used in finding certificates and CRLs.store
- the CertStore
to add. If null
,
the store is ignored (not added to list).public List getCertStores()
List
of CertStore
s that
are used to find certificates and CRLs.List
of CertStore
s
(may be empty, but never null
)public boolean[] getInitialUniqueID()
null
if not set. Note that the array returned is copied
to protect against subsequent modifications.null
if not setpublic void setRevocationEnabled(boolean val)
When a PKIXParameters
object is created, this flag is set
to true. This setting reflects the most common strategy for checking
revocation, since each service provider must support revocation
checking to be PKIX compliant. Sophisticated applications should set
this flag to false when it is not practical to use a PKIX service
provider's default revocation checking mechanism or when an alternative
revocation checking mechanism is to be substituted (by also calling the
addCertPathChecker
or setCertPathCheckers
methods).
val
- the new value of the RevocationEnabled flagpublic boolean isRevocationEnabled()
setRevocationEnabled
method for more details on
setting the value of this flag.public void setExplicitPolicyRequired(boolean val)
val
- true
if explicit policy is to be required,
false
otherwisepublic boolean isExplicitPolicyRequired()
true
if explicit policy is required,
false
otherwisepublic void setPolicyMappingInhibited(boolean val)
val
- true
if policy mapping is to be inhibited,
false
otherwisepublic boolean isPolicyMappingInhibited()
public void setAnyPolicyInhibited(boolean val)
isAnyPolicyInhibited()
returns false
).val
- true
if the any policy OID is to be
inhibited, false
otherwisepublic boolean isAnyPolicyInhibited()
true
if the any policy OID is inhibited,
false
otherwisepublic void setPolicyQualifiersRejected(boolean qualifiersRejected)
When a PKIXParameters
object is created, this flag is
set to true. This setting reflects the most common (and simplest)
strategy for processing policy qualifiers. Applications that want to use
a more sophisticated policy must set this flag to false.
Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.
qualifiersRejected
- the new value of the PolicyQualifiersRejected
flagPolicyQualifierInfo
public boolean getPolicyQualifiersRejected()
When a PKIXParameters
object is created, this flag is
set to true. This setting reflects the most common (and simplest)
strategy for processing policy qualifiers. Applications that want to use
a more sophisticated policy must set this flag to false.
public Date getDate()
null
, the current time is used.
Note that the Date
returned is copied to protect against
subsequent modifications.
Date
, or null
if not setpublic void setDate(Date date)
null
, the current time is used.
Note that the Date
supplied here is copied to protect
against subsequent modifications.
date
- the Date
, or null
for the
current timepublic void setCertPathCheckers(List checkers)
List
of additional certification path checkers. If
the specified List
contains an object that is not a
PKIXCertPathChecker
, it is ignored.
Each PKIXCertPathChecker
specified implements
additional checks on a certificate. Typically, these are checks to
process and verify private extensions contained in certificates.
Each PKIXCertPathChecker
should be instantiated with any
initialization parameters needed to execute the check.
This method allows sophisticated applications to extend a PKIX
CertPathValidator
or CertPathBuilder
.
Each of the specified PKIXCertPathChecker
s will be called,
in turn, by a PKIX CertPathValidator
or
CertPathBuilder
for each certificate processed or
validated.
Regardless of whether these additional PKIXCertPathChecker
s
are set, a PKIX CertPathValidator
or
CertPathBuilder
must perform all of the required PKIX
checks on each certificate. The one exception to this rule is if the
RevocationEnabled flag is set to false (see the setRevocationEnabled
method).
Note that the List
supplied here is copied and each
PKIXCertPathChecker
in the list is cloned to protect
against subsequent modifications.
checkers
- a List
of PKIXCertPathChecker
s.
May be null
, in which case no additional checkers will be
used.ClassCastException
- if any of the elements in the list
are not of type java.security.cert.PKIXCertPathChecker
public List getCertPathCheckers()
List
of certification path checkers.
The returned List
is immutable, and each
PKIXCertPathChecker
in the List
is cloned
to protect against subsequent modifications.List
of
PKIXCertPathChecker
s (may be empty, but not
null
)public void addCertPathChecker(PKIXCertPathChecker checker)
PKIXCertPathChecker
to the list of certification
path checkers. See the setCertPathCheckers
method for more details.
Note that the PKIXCertPathChecker
is cloned to protect
against subsequent modifications.
checker
- a PKIXCertPathChecker
to add to the list of
checks. If null
, the checker is ignored (not added to list).public String getSigProvider()
null
if not set.null
)public void setSigProvider(String sigProvider)
Signature
objects. If null
or not set, the first provider found
supporting the algorithm will be used.sigProvider
- the signature provider's name (or null
)public CertSelector getTargetCertConstraints()
CertSelector
.
If null
, no constraints are defined.
Note that the CertSelector
returned is cloned
to protect against subsequent modifications.
CertSelector
specifying the constraints
on the target certificate (or null
)public void setTargetCertConstraints(CertSelector selector)
CertSelector
. If null
, no constraints are
defined.
Note that the CertSelector
specified is cloned
to protect against subsequent modifications.
selector
- a CertSelector
specifying the constraints
on the target certificate (or null
)public boolean equals(Object other)
PKIXParameters
,
return false
. Otherwise, return true
if the
parameters of the objects are equal.equals
in class Object
other
- the object to test for equalitytrue
if the objects are equal,
false
otherwisepublic int hashCode()
hashCode
in class Object
public Object clone()
PKIXParameters
object. Changes
to the copy will not affect the original and vice versa.clone
in interface CertPathParameters
clone
in class Object
PKIXParameters
objectpublic String toString()
toString
in class Object
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |