java.security.cert
Class PKIXParameters

java.lang.Object
  |
  +--java.security.cert.PKIXParameters

All Implemented Interfaces:

CertPathParameters, Cloneable

Direct Known Subclasses:

PKIXBuilderParameters

public class PKIXParameters

extends Object

implements CertPathParameters

Parameters used as input for the PKIX CertPathValidator algorithm.

A PKIX CertPathValidator uses these parameters to validate a CertPath according to the PKIX certification path validation algorithm.

To instantiate a PKIXParameters object, an application must specify the most-trusted CA as defined by the PKIX certification path validation algorithm. The most-trusted CA can be specified using one of several constructors. First, an application can call either PKIXParameters(PublicKey, String) or PKIXParameters(PublicKey, String, boolean[]), specifying the public key, distinguished name, and optionally the subject unique identifier of the most-trusted CA. Alternatively, if more than one CA is trusted, an application can call PKIXParameters(Set), specifying a Set of trusted X509Certificates. Finally, an application can call PKIXParameters(KeyStore), specifying a KeyStore instance containing trusted certificate entries, each of which will be considered as a most-trusted CA.

Once a PKIXParameters object has been created, other parameters can be specified (by calling setInitialPolicies or setDate, for instance) and then the PKIXParameters is passed along with the CertPath to be validated to CertPathValidator.validate.

Any parameter that is not set (or is set to null) will be set to the default value for that parameter. The default value for the date parameter is null, which indicates the current time when the path is validated. The default for the remaining parameters is the least constrained.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Since:

1.4

See Also:

CertPathValidator

Constructor Summary

PKIXParameters(KeyStore keystore)
Creates an instance of PKIXParameters that populates the set of most-trusted CA certificates from the trusted certificate entries contained in the specified KeyStore.

PKIXParameters(PublicKey pubKey, String caName)
Creates an instance of PKIXParameters where the most-trusted CA is specified as a public key and distinguished name.

PKIXParameters(PublicKey pubKey, String caName, boolean[] uniqueID)
Creates an instance of PKIXParameters with the specified parameter values.

PKIXParameters(Set trustedCerts)
Creates an instance of PKIXParameters with the specified Set of most-trusted CA certificates.

Method Summary

void	addCertPathChecker(PKIXCertPathChecker checker) Adds a PKIXCertPathChecker to the list of certification path checkers.
void	addCertStore(CertStore store) Adds a CertStore to the end of the list of CertStores used in finding certificates and CRLs.
Object	clone() Makes a copy of this PKIXParameters object.
boolean	equals(Object other) Compares this object for equality with the specified object.
String	getCAName() Returns the name of the most-trusted CA in RFC 2253 String format.
List	getCertPathCheckers() Returns the List of certification path checkers.
List	getCertStores() Returns an immutable List of CertStores that are used to find certificates and CRLs.
Date	getDate() Returns the time for which the validity of the certification path should be determined.
Set	getInitialPolicies() Returns an immutable Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.
boolean[]	getInitialUniqueID() Returns the unique identifier of the most-trusted CA, or null if not set.
boolean	getPolicyQualifiersRejected() Gets the PolicyQualifiersRejected flag.
PublicKey	getPublicKey() Returns the public key of the most-trusted CA.
String	getSigProvider() Returns the signature provider's name, or null if not set.
CertSelector	getTargetCertConstraints() Returns the required constraints on the target certificate.
Set	getTrustedCerts() Returns an immutable Set of the most-trusted CA certificates.
int	hashCode() Returns a hash code value for this object.
boolean	isAnyPolicyInhibited() Checks whether the any policy OID should be processed if it is included in a certificate.
boolean	isExplicitPolicyRequired() Checks if explicit policy is required.
boolean	isPolicyMappingInhibited() Checks if policy mapping is inhibited.
boolean	isRevocationEnabled() Checks the RevocationEnabled flag.
void	setAnyPolicyInhibited(boolean val) Sets state to determine if the any policy OID should be processed if it is included in a certificate.
void	setCAPublicKeyAndName(PublicKey pubKey, String caName) Sets the public key and name of the most-trusted CA.
void	setCAPublicKeyAndName(PublicKey pubKey, String caName, boolean[] uniqueID) Sets the public key, name and unique identifier of the CA.
void	setCertPathCheckers(List checkers) Sets a List of additional certification path checkers.
void	setCertStores(List stores) Sets the list of CertStores to be used in finding certificates and CRLs.
void	setDate(Date date) Sets the time for which the validity of the certification path should be determined.
void	setExplicitPolicyRequired(boolean val) Sets the ExplicitPolicyRequired flag.
void	setInitialPolicies(Set initialPolicies) Sets the Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.
void	setPolicyMappingInhibited(boolean val) Sets the PolicyMappingInhibited flag.
void	setPolicyQualifiersRejected(boolean qualifiersRejected) Sets the PolicyQualifiersRejected flag.
void	setRevocationEnabled(boolean val) Sets the RevocationEnabled flag.
void	setSigProvider(String sigProvider) Sets the signature provider's name.
void	setTargetCertConstraints(CertSelector selector) Sets the required constraints on the target certificate.
void	setTrustedCerts(Set trustedCerts) Sets the Set of most-trusted CA certificates.
String	toString() Returns a formatted string describing the parameters.

Methods inherited from class java.lang.Object

finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

PKIXParameters

public PKIXParameters(Set trustedCerts)

Creates an instance of PKIXParameters with the specified Set of most-trusted CA certificates. Each element of the set is a a trusted X509Certificiate.

Note that the Set is copied to protect against subsequent modifications.

Parameters:

trustedCerts - a Set of X509Certificates

Throws:

ClassCastException - if any of the elements in the set are not of type java.security.cert.X509Certificate

PKIXParameters

public PKIXParameters(KeyStore keystore)
               throws KeyStoreException

Creates an instance of PKIXParameters that populates the set of most-trusted CA certificates from the trusted certificate entries contained in the specified KeyStore. Only keystore entries that contain trusted X509Certificates are considered; all other certificate types are ignored.

Parameters:

keystore - a KeyStore from which the set of most-trusted CA certificates will be populated

Throws:

KeyStoreException - if the keystore has not been initialized.

NullPointerException - if the keystore is null

PKIXParameters

public PKIXParameters(PublicKey pubKey,
                      String caName)
               throws IOException

Creates an instance of PKIXParameters where the most-trusted CA is specified as a public key and distinguished name.

Parameters:

pubKey - the public key of the most-trusted CA

caName - the X.500 distinguished name of the most-trusted CA in RFC 2253 String format

Throws:

IOException - if an error occurs parsing the caName

PKIXParameters

public PKIXParameters(PublicKey pubKey,
                      String caName,
                      boolean[] uniqueID)
               throws IOException

Creates an instance of PKIXParameters with the specified parameter values.

Parameters:

pubKey - the public key of the most-trusted CA

caName - the X.500 distinguished name of the most-trusted CA in RFC 2253 String format

uniqueID - the unique identifier of the most-trusted CA subject unique identifier. The array is cloned to protect against subsequent modifications.

Throws:

IOException - if an error occurs parsing the caName

Method Detail

getTrustedCerts

public Set getTrustedCerts()

Returns an immutable Set of the most-trusted CA certificates.

Returns:

an immutable Set of X509Certificates or null if not specified

setTrustedCerts

public void setTrustedCerts(Set trustedCerts)

Sets the Set of most-trusted CA certificates. Any current values for the pubKey, caName or uniqueID parameters are cleared (set to null).

Note that the Set is copied to protect against subsequent modifications.

Parameters:

trustedCerts - a Set of X509Certificates

Throws:

ClassCastException - if any of the elements in the set are not of type java.security.cert.X509Certificate

getInitialPolicies

public Set getInitialPolicies()

Returns an immutable Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. The default return value is an empty Set, which is interpreted as meaning that any policy would be acceptable.

Returns:

an immutable Set of initial policy OIDs in String format, or an empty Set (implying any policy is acceptable). Never returns null.

setInitialPolicies

public void setInitialPolicies(Set initialPolicies)

Sets the Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. By default, any policy is acceptable (i.e. all policies), so a user that wants to allow any policy as acceptable does not need to call this method, or can call it with an empty Set (or null).

Note that the Set is copied to protect against subsequent modifications.

Parameters:

initialPolicies - a Set of initial policy OIDs in String format (or null)

Throws:

ClassCastException - if any of the elements in the set are not of type String

getPublicKey

public PublicKey getPublicKey()

Returns the public key of the most-trusted CA.

Returns:

the public key of the most-trusted CA, or null if not set

setCAPublicKeyAndName

public void setCAPublicKeyAndName(PublicKey pubKey,
                                  String caName)
                           throws IOException

Sets the public key and name of the most-trusted CA. Any current value for the trustedCerts parameter is cleared (set to null).

Parameters:

pubKey - the public key of the most-trusted CA

caName - the X.500 distinguished name of the most-trusted CA in RFC 2253 String format

Throws:

IOException - if an error occurs parsing the caName

setCAPublicKeyAndName

public void setCAPublicKeyAndName(PublicKey pubKey,
                                  String caName,
                                  boolean[] uniqueID)
                           throws IOException

Sets the public key, name and unique identifier of the CA. Any current value for the trustedCerts parameter is cleared (set to null).

Parameters:

pubKey - the public key of the most-trusted CA

caName - the X.500 distinguished name of the most-trusted CA in RFC 2253 String format

uniqueID - a boolean array containing the unique identifier of the most-trusted CA. Note that the array is copied to protect against subsequent modifications.

Throws:

IOException - if an error occurs parsing the caName

getCAName

public String getCAName()

Returns the name of the most-trusted CA in RFC 2253 String format.

Returns:

the X.500 distinguished name of the most-trusted CA, or null if not set

setCertStores

public void setCertStores(List stores)

Sets the list of CertStores to be used in finding certificates and CRLs. May be null, in which case no CertStores will be used. The first CertStores in the list may be preferred to those that appear later.

Note that the List is copied to protect against subsequent modifications.

Parameters:

stores - a List of CertStores (or null)

Throws:

ClassCastException - if any of the elements in the list are not of type java.security.cert.CertStore

addCertStore

public void addCertStore(CertStore store)

Adds a CertStore to the end of the list of CertStores used in finding certificates and CRLs.

Parameters:

store - the CertStore to add. If null, the store is ignored (not added to list).

getCertStores

public List getCertStores()

Returns an immutable List of CertStores that are used to find certificates and CRLs.

Returns:

an immutable List of CertStores (may be empty, but never null)

getInitialUniqueID

public boolean[] getInitialUniqueID()

Returns the unique identifier of the most-trusted CA, or null if not set. Note that the array returned is copied to protect against subsequent modifications.

Returns:

a boolean array containing the unique identifier of the most-trusted CA, or null if not set

setRevocationEnabled

public void setRevocationEnabled(boolean val)

Sets the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used).

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted (by also calling the addCertPathChecker or setCertPathCheckers methods).

Parameters:

val - the new value of the RevocationEnabled flag

isRevocationEnabled

public boolean isRevocationEnabled()

Checks the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used). See the setRevocationEnabled method for more details on setting the value of this flag.

Returns:

the current value of the RevocationEnabled flag

setExplicitPolicyRequired

public void setExplicitPolicyRequired(boolean val)

Sets the ExplicitPolicyRequired flag. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.

Parameters:

val - true if explicit policy is to be required, false otherwise

isExplicitPolicyRequired

public boolean isExplicitPolicyRequired()

Checks if explicit policy is required. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.

Returns:

true if explicit policy is required, false otherwise

setPolicyMappingInhibited

public void setPolicyMappingInhibited(boolean val)

Sets the PolicyMappingInhibited flag. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).

Parameters:

val - true if policy mapping is to be inhibited, false otherwise

isPolicyMappingInhibited

public boolean isPolicyMappingInhibited()

Checks if policy mapping is inhibited. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).

Returns:

true if policy mapping is inhibited, false otherwise

setAnyPolicyInhibited

public void setAnyPolicyInhibited(boolean val)

Sets state to determine if the any policy OID should be processed if it is included in a certificate. By default, the any policy OID is not inhibited (isAnyPolicyInhibited() returns false).

Parameters:

val - true if the any policy OID is to be inhibited, false otherwise

isAnyPolicyInhibited

public boolean isAnyPolicyInhibited()

Checks whether the any policy OID should be processed if it is included in a certificate.

Returns:

true if the any policy OID is inhibited, false otherwise

setPolicyQualifiersRejected

public void setPolicyQualifiersRejected(boolean qualifiersRejected)

Sets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers are rejected. If the flag is false, certificates are not rejected on this basis.

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.

Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.

Parameters:

qualifiersRejected - the new value of the PolicyQualifiersRejected flag

See Also:

PolicyQualifierInfo

getPolicyQualifiersRejected

public boolean getPolicyQualifiersRejected()

Gets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers are rejected. If the flag is false, certificates are not rejected on this basis.

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.

Returns:

the current value of the PolicyQualifiersRejected flag

getDate

public Date getDate()

Returns the time for which the validity of the certification path should be determined. If null, the current time is used.

Note that the Date returned is copied to protect against subsequent modifications.

Returns:

the Date, or null if not set

setDate

public void setDate(Date date)

Sets the time for which the validity of the certification path should be determined. If null, the current time is used.

Note that the Date supplied here is copied to protect against subsequent modifications.

Parameters:

date - the Date, or null for the current time

setCertPathCheckers

public void setCertPathCheckers(List checkers)

Sets a List of additional certification path checkers. If the specified List contains an object that is not a PKIXCertPathChecker, it is ignored.

Each PKIXCertPathChecker specified implements additional checks on a certificate. Typically, these are checks to process and verify private extensions contained in certificates. Each PKIXCertPathChecker should be instantiated with any initialization parameters needed to execute the check.

This method allows sophisticated applications to extend a PKIX CertPathValidator or CertPathBuilder. Each of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX CertPathValidator or CertPathBuilder for each certificate processed or validated.

Regardless of whether these additional PKIXCertPathCheckers are set, a PKIX CertPathValidator or CertPathBuilder must perform all of the required PKIX checks on each certificate. The one exception to this rule is if the RevocationEnabled flag is set to false (see the setRevocationEnabled method).

Note that the List supplied here is copied and each PKIXCertPathChecker in the list is cloned to protect against subsequent modifications.

Parameters:

checkers - a List of PKIXCertPathCheckers. May be null, in which case no additional checkers will be used.

Throws:

ClassCastException - if any of the elements in the list are not of type java.security.cert.PKIXCertPathChecker

getCertPathCheckers

public List getCertPathCheckers()

Returns the List of certification path checkers. The returned List is immutable, and each PKIXCertPathChecker in the List is cloned to protect against subsequent modifications.

Returns:

an immutable List of PKIXCertPathCheckers (may be empty, but not null)

addCertPathChecker

public void addCertPathChecker(PKIXCertPathChecker checker)

Adds a PKIXCertPathChecker to the list of certification path checkers. See the setCertPathCheckers method for more details.

Note that the PKIXCertPathChecker is cloned to protect against subsequent modifications.

Parameters:

checker - a PKIXCertPathChecker to add to the list of checks. If null, the checker is ignored (not added to list).

getSigProvider

public String getSigProvider()

Returns the signature provider's name, or null if not set.

Returns:

the signature provider's name (or null)

setSigProvider

public void setSigProvider(String sigProvider)

Sets the signature provider's name. The specified provider will be preferred when creating Signature objects. If null or not set, the first provider found supporting the algorithm will be used.

Parameters:

sigProvider - the signature provider's name (or null)

getTargetCertConstraints

public CertSelector getTargetCertConstraints()

Returns the required constraints on the target certificate. The constraints are returned as an instance of CertSelector. If null, no constraints are defined.

Note that the CertSelector returned is cloned to protect against subsequent modifications.

Returns:

a CertSelector specifying the constraints on the target certificate (or null)

setTargetCertConstraints

public void setTargetCertConstraints(CertSelector selector)

Sets the required constraints on the target certificate. The constraints are specified as an instance of CertSelector. If null, no constraints are defined.

Note that the CertSelector specified is cloned to protect against subsequent modifications.

Parameters:

selector - a CertSelector specifying the constraints on the target certificate (or null)

equals

public boolean equals(Object other)

Compares this object for equality with the specified object. If the other object is not an PKIXParameters, return false. Otherwise, return true if the parameters of the objects are equal.

Overrides:

equals in class Object

Parameters:

other - the object to test for equality

Returns:

true if the objects are equal, false otherwise

hashCode

public int hashCode()

Returns a hash code value for this object.

Overrides:

hashCode in class Object

Returns:

a hash code value

clone

public Object clone()

Makes a copy of this PKIXParameters object. Changes to the copy will not affect the original and vice versa.

Specified by:

clone in interface CertPathParameters

Overrides:

clone in class Object

Returns:

a copy of this PKIXParameters object

toString

public String toString()

Returns a formatted string describing the parameters.

Overrides:

toString in class Object

Returns:

a formatted string describing the parameters.