PKIXParameters

Overview

Package

Class

Tree

Deprecated

Index

Help

Codase Click

search sample or example code,

search definition,

search google

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

java.security.cert
Class PKIXParameters

java.lang.Object   
  java.security.cert.PKIXParameters

All Implemented Interfaces:: Cloneable , CertPathParameters

Direct Known Subclasses:: PKIXBuilderParameters

public class PKIXParameters
extends Object
implements CertPathParameters
extends Object
implements CertPathParameters

Parameters used as input for the PKIX CertPathValidator algorithm.

A PKIX CertPathValidator uses these parameters to validate a CertPath according to the PKIX certification path validation algorithm.

To instantiate a PKIXParameters object, an application must specify one or more most-trusted CAs as defined by the PKIX certification path validation algorithm. The most-trusted CAs can be specified using one of two constructors. An application can call PKIXParameters(Set) , specifying a Set of TrustAnchor objects, each of which identify a most-trusted CA. Alternatively, an application can call PKIXParameters(KeyStore) , specifying a KeyStore instance containing trusted certificate entries, each of which will be considered as a most-trusted CA.

Once a PKIXParameters object has been created, other parameters can be specified (by calling setInitialPolicies or setDate , for instance) and then the PKIXParameters is passed along with the CertPath to be validated to CertPathValidator.validate .

Any parameter that is not set (or is set to null) will be set to the default value for that parameter. The default value for the date parameter is null, which indicates the current time when the path is validated. The default for the remaining parameters is the least constrained.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Since:: 1.4
See Also:: CertPathValidator

Constructor Summary
`PKIXParameters (KeyStore keystore)` Creates an instance of `PKIXParameters` that populates the set of most-trusted CAs from the trusted certificate entries contained in the specified `KeyStore`.
`PKIXParameters (Set <TrustAnchor > trustAnchors)` Creates an instance of `PKIXParameters` with the specified `Set` of most-trusted CAs.

Method Summary
`void`	`addCertPathChecker (PKIXCertPathChecker checker)` Adds a `PKIXCertPathChecker` to the list of certification path checkers.
`void`	`addCertStore (CertStore store)` Adds a `CertStore` to the end of the list of `CertStore`s used in finding certificates and CRLs.
`Object`	`clone ()` Makes a copy of this `PKIXParameters` object.
`List <PKIXCertPathChecker >`	`getCertPathCheckers ()` Returns the `List` of certification path checkers.
`List <CertStore >`	`getCertStores ()` Returns an immutable `List` of `CertStore`s that are used to find certificates and CRLs.
`Date`	`getDate ()` Returns the time for which the validity of the certification path should be determined.
`Set <String >`	`getInitialPolicies ()` Returns an immutable `Set` of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.
`boolean`	`getPolicyQualifiersRejected ()` Gets the PolicyQualifiersRejected flag.
`String`	`getSigProvider ()` Returns the signature provider's name, or `null` if not set.
`CertSelector`	`getTargetCertConstraints ()` Returns the required constraints on the target certificate.
`Set <TrustAnchor >`	`getTrustAnchors ()` Returns an immutable `Set` of the most-trusted CAs.
`boolean`	`isAnyPolicyInhibited ()` Checks whether the any policy OID should be processed if it is included in a certificate.
`boolean`	`isExplicitPolicyRequired ()` Checks if explicit policy is required.
`boolean`	`isPolicyMappingInhibited ()` Checks if policy mapping is inhibited.
`boolean`	`isRevocationEnabled ()` Checks the RevocationEnabled flag.
`void`	`setAnyPolicyInhibited (boolean val)` Sets state to determine if the any policy OID should be processed if it is included in a certificate.
`void`	`setCertPathCheckers (List <PKIXCertPathChecker > checkers)` Sets a `List` of additional certification path checkers.
`void`	`setCertStores (List <CertStore > stores)` Sets the list of `CertStore`s to be used in finding certificates and CRLs.
`void`	`setDate (Date date)` Sets the time for which the validity of the certification path should be determined.
`void`	`setExplicitPolicyRequired (boolean val)` Sets the ExplicitPolicyRequired flag.
`void`	`setInitialPolicies (Set <String > initialPolicies)` Sets the `Set` of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.
`void`	`setPolicyMappingInhibited (boolean val)` Sets the PolicyMappingInhibited flag.
`void`	`setPolicyQualifiersRejected (boolean qualifiersRejected)` Sets the PolicyQualifiersRejected flag.
`void`	`setRevocationEnabled (boolean val)` Sets the RevocationEnabled flag.
`void`	`setSigProvider (String sigProvider)` Sets the signature provider's name.
`void`	`setTargetCertConstraints (CertSelector selector)` Sets the required constraints on the target certificate.
`void`	`setTrustAnchors (Set <TrustAnchor > trustAnchors)` Sets the `Set` of most-trusted CAs.
`String`	`toString ()` Returns a formatted string describing the parameters.

Methods inherited from class java.lang.Object
`equals , finalize , getClass , hashCode , notify , notifyAll , wait , wait , wait`

Constructor Detail

PKIXParameters

public PKIXParameters(Set   <TrustAnchor   > trustAnchors)
               throws InvalidAlgorithmParameterException

Creates an instance of PKIXParameters with the specified Set of most-trusted CAs. Each element of the set is a TrustAnchor

sample code for java.security.cert.TrustAnchor

definition code for java.security.cert.TrustAnchor

Note that the Set is copied to protect against subsequent modifications.

Parameters:: trustAnchors - a Set of TrustAnchors
Throws:: InvalidAlgorithmParameterException - if the specified Set is empty (trustAnchors.isEmpty() == true); NullPointerException - if the specified Set is null; ClassCastException - if any of the elements in the Set are not of type java.security.cert.TrustAnchor

PKIXParameters

public PKIXParameters(KeyStore    keystore)
               throws KeyStoreException   ,
                      InvalidAlgorithmParameterException

Creates an instance of PKIXParameters that populates the set of most-trusted CAs from the trusted certificate entries contained in the specified KeyStore. Only keystore entries that contain trusted X509Certificates are considered; all other certificate types are ignored.

Parameters:: keystore - a KeyStore from which the set of most-trusted CAs will be populated
Throws:: KeyStoreException - if the keystore has not been initialized; InvalidAlgorithmParameterException - if the keystore does not contain at least one trusted certificate entry; NullPointerException - if the keystore is null

Method Detail

getTrustAnchors

public Set   <TrustAnchor   > getTrustAnchors()

Returns an immutable Set of the most-trusted CAs.

Returns:: an immutable Set of TrustAnchors (never null)
See Also:: setTrustAnchors(java.util.Set)

setTrustAnchors

public void setTrustAnchors(Set   <TrustAnchor   > trustAnchors)
                     throws InvalidAlgorithmParameterException

Sets the Set of most-trusted CAs.

Note that the Set is copied to protect against subsequent modifications.

Parameters:: trustAnchors - a Set of TrustAnchors
Throws:: InvalidAlgorithmParameterException - if the specified Set is empty (trustAnchors.isEmpty() == true); NullPointerException - if the specified Set is null; ClassCastException - if any of the elements in the set are not of type java.security.cert.TrustAnchor
See Also:: getTrustAnchors()

getInitialPolicies

public Set   <String   > getInitialPolicies()

Returns an immutable Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. The default return value is an empty Set, which is interpreted as meaning that any policy would be acceptable.

Returns:: an immutable Set of initial policy OIDs in String format, or an empty Set (implying any policy is acceptable). Never returns null.
See Also:: setInitialPolicies(java.util.Set)

setInitialPolicies

public void setInitialPolicies(Set   <String   > initialPolicies)

Sets the Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. By default, any policy is acceptable (i.e. all policies), so a user that wants to allow any policy as acceptable does not need to call this method, or can call it with an empty Set (or null).

Note that the Set is copied to protect against subsequent modifications.

Parameters:: initialPolicies - a Set of initial policy OIDs in String format (or null)
Throws:: ClassCastException - if any of the elements in the set are not of type String
See Also:: getInitialPolicies()

setCertStores

public void setCertStores(List   <CertStore   > stores)

Sets the list of CertStores to be used in finding certificates and CRLs. May be null, in which case no CertStores will be used. The first CertStores in the list may be preferred to those that appear later.

Note that the List is copied to protect against subsequent modifications.

Parameters:: stores - a List of CertStores (or null)
Throws:: ClassCastException - if any of the elements in the list are not of type java.security.cert.CertStore
See Also:: getCertStores()

addCertStore

public void addCertStore(CertStore    store)

Adds a CertStore to the end of the list of CertStores used in finding certificates and CRLs.

Parameters:: store - the CertStore to add. If null, the store is ignored (not added to list).

getCertStores

public List   <CertStore   > getCertStores()

Returns an immutable List of CertStores that are used to find certificates and CRLs.

Returns:: an immutable List of CertStores (may be empty, but never null)
See Also:: setCertStores(java.util.List)

setRevocationEnabled

public void setRevocationEnabled(boolean val)

Sets the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used).

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted (by also calling the addCertPathChecker or setCertPathCheckers methods).

Parameters:: val - the new value of the RevocationEnabled flag

isRevocationEnabled

public boolean isRevocationEnabled()

Checks the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used). See the setRevocationEnabled

sample code for java.security.cert.PKIXParameters.setRevocationEnabled(boolean)

definition code for java.security.cert.PKIXParameters.setRevocationEnabled(boolean)

method for more details on setting the value of this flag.

Returns:: the current value of the RevocationEnabled flag

setExplicitPolicyRequired

public void setExplicitPolicyRequired(boolean val)

Sets the ExplicitPolicyRequired flag. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.

Parameters:: val - true if explicit policy is to be required, false otherwise

isExplicitPolicyRequired

public boolean isExplicitPolicyRequired()

Checks if explicit policy is required. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.

Returns:: true if explicit policy is required, false otherwise

setPolicyMappingInhibited

public void setPolicyMappingInhibited(boolean val)

Sets the PolicyMappingInhibited flag. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).

Parameters:: val - true if policy mapping is to be inhibited, false otherwise

isPolicyMappingInhibited

public boolean isPolicyMappingInhibited()

Checks if policy mapping is inhibited. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).

Returns:: true if policy mapping is inhibited, false otherwise

setAnyPolicyInhibited

public void setAnyPolicyInhibited(boolean val)

Sets state to determine if the any policy OID should be processed if it is included in a certificate. By default, the any policy OID is not inhibited (isAnyPolicyInhibited()

sample code for java.security.cert.PKIXParameters.isAnyPolicyInhibited()

definition code for java.security.cert.PKIXParameters.isAnyPolicyInhibited()

returns false).

Parameters:: val - true if the any policy OID is to be inhibited, false otherwise

isAnyPolicyInhibited

public boolean isAnyPolicyInhibited()

Checks whether the any policy OID should be processed if it is included in a certificate.

Returns:: true if the any policy OID is inhibited, false otherwise

setPolicyQualifiersRejected

public void setPolicyQualifiersRejected(boolean qualifiersRejected)

Sets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.

Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.

Parameters:: qualifiersRejected - the new value of the PolicyQualifiersRejected flag
See Also:: getPolicyQualifiersRejected() , PolicyQualifierInfo

java.security.cert Class PKIXParameters

PKIXParameters

PKIXParameters

getTrustAnchors

setTrustAnchors

getInitialPolicies

setInitialPolicies

setCertStores

addCertStore

getCertStores

setRevocationEnabled

isRevocationEnabled

setExplicitPolicyRequired

isExplicitPolicyRequired

setPolicyMappingInhibited

isPolicyMappingInhibited

setAnyPolicyInhibited

isAnyPolicyInhibited

setPolicyQualifiersRejected

java.security.cert
Class PKIXParameters