| |
|
| java.lang.Object
 java.security.cert.PKIXParameters
All known Subclasses: java.security.cert.PKIXBuilderParameters,
| PKIXParameters | | public class PKIXParameters implements CertPathParameters(Code) | | Parameters used as input for the PKIX CertPathValidator
algorithm.
A PKIX CertPathValidator uses these parameters to
validate a CertPath according to the PKIX certification path
validation algorithm.
To instantiate a PKIXParameters object, an
application must specify one or more most-trusted CAs as defined by
the PKIX certification path validation algorithm. The most-trusted CAs
can be specified using one of two constructors. An application
can call
PKIXParameters.PKIXParameters(Set) PKIXParameters(Set) ,
specifying a Set of TrustAnchor objects, each
of which identify a most-trusted CA. Alternatively, an application can call
PKIXParameters.PKIXParameters(KeyStore) PKIXParameters(KeyStore) , specifying a
KeyStore instance containing trusted certificate entries, each
of which will be considered as a most-trusted CA.
Once a PKIXParameters object has been created, other parameters
can be specified (by calling
PKIXParameters.setInitialPolicies setInitialPolicies
or
PKIXParameters.setDate setDate , for instance) and then the
PKIXParameters is passed along with the CertPath
to be validated to
CertPathValidator.validate CertPathValidator.validate .
Any parameter that is not set (or is set to null) will
be set to the default value for that parameter. The default value for the
date parameter is null, which indicates
the current time when the path is validated. The default for the
remaining parameters is the least constrained.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not
thread-safe. Multiple threads that need to access a single
object concurrently should synchronize amongst themselves and
provide the necessary locking. Multiple threads each manipulating
separate objects need not synchronize.
See Also: CertPathValidator
version:
1.25 05/05/07
since:
1.4
author:
Sean Mullan
author:
Yassir Elley |
| Constructor Summary | |
| public | PKIXParameters(Set<TrustAnchor> trustAnchors)
Creates an instance of PKIXParameters with the specified
Set of most-trusted CAs. | | public | PKIXParameters(KeyStore keystore)
Creates an instance of PKIXParameters that
populates the set of most-trusted CAs from the trusted
certificate entries contained in the specified KeyStore. |
| PKIXParameters | | public PKIXParameters(KeyStore keystore) throws KeyStoreException, InvalidAlgorithmParameterException(Code) | | Creates an instance of PKIXParameters that
populates the set of most-trusted CAs from the trusted
certificate entries contained in the specified KeyStore.
Only keystore entries that contain trusted X509Certificates
are considered; all other certificate types are ignored.
Parameters:
keystore - a KeyStore from which the set of most-trusted CAs will be populated
throws:
KeyStoreException - if the keystore has not been initialized
throws:
InvalidAlgorithmParameterException - if the keystore doesnot contain at least one trusted certificate entry
throws:
NullPointerException - if the keystore is null |
| addCertPathChecker | | public void addCertPathChecker(PKIXCertPathChecker checker)(Code) | | Adds a PKIXCertPathChecker to the list of certification
path checkers. See the
PKIXParameters.setCertPathCheckers setCertPathCheckers method for more details.
Note that the PKIXCertPathChecker is cloned to protect
against subsequent modifications.
Parameters:
checker - a PKIXCertPathChecker to add to the list of checks. If null, the checker is ignored (not added to list). |
| addCertStore | | public void addCertStore(CertStore store)(Code) | | Adds a CertStore to the end of the list of
CertStores used in finding certificates and CRLs.
Parameters:
store - the CertStore to add. If null,the store is ignored (not added to list). |
| clone | | public Object clone()(Code) | | Makes a copy of this PKIXParameters object. Changes
to the copy will not affect the original and vice versa.
a copy of this PKIXParameters object |
| getCertPathCheckers | | public List<PKIXCertPathChecker> getCertPathCheckers()(Code) | | Returns the List of certification path checkers.
The returned List is immutable, and each
PKIXCertPathChecker in the List is cloned
to protect against subsequent modifications.
an immutable List of PKIXCertPathCheckers (may be empty, but not null)
See Also: PKIXParameters.setCertPathCheckers |
| getCertStores | | public List<CertStore> getCertStores()(Code) | | Returns an immutable List of CertStores that
are used to find certificates and CRLs.
an immutable List of CertStores (may be empty, but never null)
See Also: PKIXParameters.setCertStores |
| getDate | | public Date getDate()(Code) | | Returns the time for which the validity of the certification path
should be determined. If null, the current time is used.
Note that the Date returned is copied to protect against
subsequent modifications.
the Date, or null if not set
See Also: PKIXParameters.setDate |
| getInitialPolicies | | public Set<String> getInitialPolicies()(Code) | | Returns an immutable Set of initial
policy identifiers (OID strings), indicating that any one of these
policies would be acceptable to the certificate user for the purposes of
certification path processing. The default return value is an empty
Set, which is interpreted as meaning that any policy would
be acceptable.
an immutable Set of initial policy OIDs inString format, or an empty Set (implying any policy is acceptable). Never returns null.
See Also: PKIXParameters.setInitialPolicies |
| getPolicyQualifiersRejected | | public boolean getPolicyQualifiersRejected()(Code) | | Gets the PolicyQualifiersRejected flag. If this flag is true,
certificates that include policy qualifiers in a certificate policies
extension that is marked critical are rejected.
If the flag is false, certificates are not rejected on this basis.
When a PKIXParameters object is created, this flag is
set to true. This setting reflects the most common (and simplest)
strategy for processing policy qualifiers. Applications that want to use
a more sophisticated policy must set this flag to false.
the current value of the PolicyQualifiersRejected flag
See Also: PKIXParameters.setPolicyQualifiersRejected |
| getTargetCertConstraints | | public CertSelector getTargetCertConstraints()(Code) | | Returns the required constraints on the target certificate.
The constraints are returned as an instance of CertSelector.
If null, no constraints are defined.
Note that the CertSelector returned is cloned
to protect against subsequent modifications.
a CertSelector specifying the constraints on the target certificate (or null)
See Also: PKIXParameters.setTargetCertConstraints |
| isAnyPolicyInhibited | | public boolean isAnyPolicyInhibited()(Code) | | Checks whether the any policy OID should be processed if it
is included in a certificate.
true if the any policy OID is inhibited, false otherwise |
| isExplicitPolicyRequired | | public boolean isExplicitPolicyRequired()(Code) | | Checks if explicit policy is required. If this flag is true, an
acceptable policy needs to be explicitly identified in every certificate.
By default, the ExplicitPolicyRequired flag is false.
true if explicit policy is required, false otherwise |
| isPolicyMappingInhibited | | public boolean isPolicyMappingInhibited()(Code) | | Checks if policy mapping is inhibited. If this flag is true, policy
mapping is inhibited. By default, policy mapping is not inhibited (the
flag is false).
true if policy mapping is inhibited, false otherwise |
| isRevocationEnabled | | public boolean isRevocationEnabled()(Code) | | Checks the RevocationEnabled flag. If this flag is true, the default
revocation checking mechanism of the underlying PKIX service provider
will be used. If this flag is false, the default revocation checking
mechanism will be disabled (not used). See the
PKIXParameters.setRevocationEnabled setRevocationEnabled method for more details on
setting the value of this flag.
the current value of the RevocationEnabled flag |
| setAnyPolicyInhibited | | public void setAnyPolicyInhibited(boolean val)(Code) | | Sets state to determine if the any policy OID should be processed
if it is included in a certificate. By default, the any policy OID
is not inhibited (
PKIXParameters.isAnyPolicyInhibited isAnyPolicyInhibited()
returns false).
Parameters:
val - true if the any policy OID is to be inhibited, false otherwise |
| setCertPathCheckers | | public void setCertPathCheckers(List<PKIXCertPathChecker> checkers)(Code) | | Sets a List of additional certification path checkers. If
the specified List contains an object that is not a
PKIXCertPathChecker, it is ignored.
Each PKIXCertPathChecker specified implements
additional checks on a certificate. Typically, these are checks to
process and verify private extensions contained in certificates.
Each PKIXCertPathChecker should be instantiated with any
initialization parameters needed to execute the check.
This method allows sophisticated applications to extend a PKIX
CertPathValidator or CertPathBuilder.
Each of the specified PKIXCertPathCheckers will be called,
in turn, by a PKIX CertPathValidator or
CertPathBuilder for each certificate processed or
validated.
Regardless of whether these additional PKIXCertPathCheckers
are set, a PKIX CertPathValidator or
CertPathBuilder must perform all of the required PKIX
checks on each certificate. The one exception to this rule is if the
RevocationEnabled flag is set to false (see the
PKIXParameters.setRevocationEnabled setRevocationEnabled method).
Note that the List supplied here is copied and each
PKIXCertPathChecker in the list is cloned to protect
against subsequent modifications.
Parameters:
checkers - a List of PKIXCertPathCheckers.May be null, in which case no additional checkers will beused.
throws:
ClassCastException - if any of the elements in the listare not of type java.security.cert.PKIXCertPathChecker
See Also: PKIXParameters.getCertPathCheckers |
| setCertStores | | public void setCertStores(List<CertStore> stores)(Code) | | Sets the list of CertStores to be used in finding
certificates and CRLs. May be null, in which case
no CertStores will be used. The first
CertStores in the list may be preferred to those that
appear later.
Note that the List is copied to protect against
subsequent modifications.
Parameters:
stores - a List of CertStores (or null)
throws:
ClassCastException - if any of the elements in the list arenot of type java.security.cert.CertStore
See Also: PKIXParameters.getCertStores |
| setDate | | public void setDate(Date date)(Code) | | Sets the time for which the validity of the certification path
should be determined. If null, the current time is used.
Note that the Date supplied here is copied to protect
against subsequent modifications.
Parameters:
date - the Date, or null for the current time
See Also: PKIXParameters.getDate |
| setExplicitPolicyRequired | | public void setExplicitPolicyRequired(boolean val)(Code) | | Sets the ExplicitPolicyRequired flag. If this flag is true, an
acceptable policy needs to be explicitly identified in every certificate.
By default, the ExplicitPolicyRequired flag is false.
Parameters:
val - true if explicit policy is to be required, false otherwise |
| setInitialPolicies | | public void setInitialPolicies(Set<String> initialPolicies)(Code) | | Sets the Set of initial policy identifiers
(OID strings), indicating that any one of these
policies would be acceptable to the certificate user for the purposes of
certification path processing. By default, any policy is acceptable
(i.e. all policies), so a user that wants to allow any policy as
acceptable does not need to call this method, or can call it
with an empty Set (or null).
Note that the Set is copied to protect against
subsequent modifications.
Parameters:
initialPolicies - a Set of initial policy OIDs in String format (or null)
throws:
ClassCastException - if any of the elements in the set arenot of type String
See Also: PKIXParameters.getInitialPolicies |
| setPolicyMappingInhibited | | public void setPolicyMappingInhibited(boolean val)(Code) | | Sets the PolicyMappingInhibited flag. If this flag is true, policy
mapping is inhibited. By default, policy mapping is not inhibited (the
flag is false).
Parameters:
val - true if policy mapping is to be inhibited, false otherwise |
| setPolicyQualifiersRejected | | public void setPolicyQualifiersRejected(boolean qualifiersRejected)(Code) | | Sets the PolicyQualifiersRejected flag. If this flag is true,
certificates that include policy qualifiers in a certificate
policies extension that is marked critical are rejected.
If the flag is false, certificates are not rejected on this basis.
When a PKIXParameters object is created, this flag is
set to true. This setting reflects the most common (and simplest)
strategy for processing policy qualifiers. Applications that want to use
a more sophisticated policy must set this flag to false.
Note that the PKIX certification path validation algorithm specifies
that any policy qualifier in a certificate policies extension that is
marked critical must be processed and validated. Otherwise the
certification path must be rejected. If the policyQualifiersRejected flag
is set to false, it is up to the application to validate all policy
qualifiers in this manner in order to be PKIX compliant.
Parameters:
qualifiersRejected - the new value of the PolicyQualifiersRejected flag
See Also: PKIXParameters.getPolicyQualifiersRejected
See Also: PolicyQualifierInfo |
| setRevocationEnabled | | public void setRevocationEnabled(boolean val)(Code) | | Sets the RevocationEnabled flag. If this flag is true, the default
revocation checking mechanism of the underlying PKIX service provider
will be used. If this flag is false, the default revocation checking
mechanism will be disabled (not used).
When a PKIXParameters object is created, this flag is set
to true. This setting reflects the most common strategy for checking
revocation, since each service provider must support revocation
checking to be PKIX compliant. Sophisticated applications should set
this flag to false when it is not practical to use a PKIX service
provider's default revocation checking mechanism or when an alternative
revocation checking mechanism is to be substituted (by also calling the
PKIXParameters.addCertPathChecker addCertPathChecker or
PKIXParameters.setCertPathCheckers setCertPathCheckers methods).
Parameters:
val - the new value of the RevocationEnabled flag |
| setSigProvider | | public void setSigProvider(String sigProvider)(Code) | | Sets the signature provider's name. The specified provider will be
preferred when creating
java.security.Signature Signature
objects. If null or not set, the first provider found
supporting the algorithm will be used.
Parameters:
sigProvider - the signature provider's name (or null)
See Also: PKIXParameters.getSigProvider |
| setTargetCertConstraints | | public void setTargetCertConstraints(CertSelector selector)(Code) | | Sets the required constraints on the target certificate.
The constraints are specified as an instance of
CertSelector. If null, no constraints are
defined.
Note that the CertSelector specified is cloned
to protect against subsequent modifications.
Parameters:
selector - a CertSelector specifying the constraints on the target certificate (or null)
See Also: PKIXParameters.getTargetCertConstraints |
| toString | | public String toString()(Code) | | Returns a formatted string describing the parameters.
a formatted string describing the parameters. |
|
|
|