java.security.cert: public class: PKIXBuilderParameters

java.security.cert
public class: PKIXBuilderParameters [javadoc | source]

java.lang.Object
   java.security.cert.PKIXParameters
      java.security.cert.PKIXBuilderParameters

All Implemented Interfaces:
CertPathParameters

Parameters used as input for the PKIX CertPathBuilder algorithm.

A PKIX CertPathBuilder uses these parameters to build a CertPath which has been validated according to the PKIX certification path validation algorithm.

To instantiate a PKIXBuilderParameters object, an application must specify one or more most-trusted CAs as defined by the PKIX certification path validation algorithm. The most-trusted CA can be specified using one of two constructors. An application can call CertSelector) CertSelector) , specifying a Set of TrustAnchor objects, each of which identifies a most-trusted CA. Alternatively, an application can call CertSelector) CertSelector) , specifying a KeyStore instance containing trusted certificate entries, each of which will be considered as a most-trusted CA.

In addition, an application must specify constraints on the target certificate that the CertPathBuilder will attempt to build a path to. The constraints are specified as a CertSelector object. These constraints should provide the CertPathBuilder with enough search criteria to find the target certificate. Minimal criteria for an X509Certificate usually include the subject name and/or one or more subject alternative names. If enough criteria is not specified, the CertPathBuilder may throw a CertPathBuilderException.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Also see:

CertPathBuilder

since: 1.4 -

author: Sean - Mullan

Constructor:

Constructor:
public PKIXBuilderParameters(Set<TrustAnchor> trustAnchors, CertSelector targetConstraints) throws InvalidAlgorithmParameterException { super(trustAnchors); setTargetCertConstraints(targetConstraints); } Creates an instance of `PKIXBuilderParameters` with the specified `Set` of most-trusted CAs. Each element of the set is a TrustAnchor . Note that the `Set` is copied to protect against subsequent modifications. Parameters: `trustAnchors` - a `Set` of `TrustAnchor`s `targetConstraints` - a `CertSelector` specifying the constraints on the target certificate Throws: `InvalidAlgorithmParameterException` - if `trustAnchors` is empty `(trustAnchors.isEmpty() == true)` `NullPointerException` - if `trustAnchors` is `null` `ClassCastException` - if any of the elements of `trustAnchors` are not of type `java.security.cert.TrustAnchor`
public PKIXBuilderParameters(KeyStore keystore, CertSelector targetConstraints) throws KeyStoreException, InvalidAlgorithmParameterException { super(keystore); setTargetCertConstraints(targetConstraints); } Creates an instance of `PKIXBuilderParameters` that populates the set of most-trusted CAs from the trusted certificate entries contained in the specified `KeyStore`. Only keystore entries that contain trusted `X509Certificate`s are considered; all other certificate types are ignored. Parameters: `keystore` - a `KeyStore` from which the set of most-trusted CAs will be populated `targetConstraints` - a `CertSelector` specifying the constraints on the target certificate Throws: `KeyStoreException` - if `keystore` has not been initialized `InvalidAlgorithmParameterException` - if `keystore` does not contain at least one trusted certificate entry `NullPointerException` - if `keystore` is `null`

 public PKIXBuilderParameters(Set<TrustAnchor> trustAnchors,
    CertSelector targetConstraints) throws InvalidAlgorithmParameterException {
        super(trustAnchors);
        setTargetCertConstraints(targetConstraints);
}

PKIXBuilderParameters

Set

TrustAnchor

Note that the Set is copied to protect against subsequent modifications.

Parameters:

trustAnchors - a Set of TrustAnchors

targetConstraints - a CertSelector specifying the constraints on the target certificate

Throws:

InvalidAlgorithmParameterException - if trustAnchors is empty (trustAnchors.isEmpty() == true)

NullPointerException - if trustAnchors is null

ClassCastException - if any of the elements of trustAnchors are not of type java.security.cert.TrustAnchor

 public PKIXBuilderParameters(KeyStore keystore,
    CertSelector targetConstraints) throws KeyStoreException, InvalidAlgorithmParameterException {
        super(keystore);
        setTargetCertConstraints(targetConstraints);
}

PKIXBuilderParameters

KeyStore

X509Certificate

Parameters:

keystore - a KeyStore from which the set of most-trusted CAs will be populated

targetConstraints - a CertSelector specifying the constraints on the target certificate

Throws:

KeyStoreException - if keystore has not been initialized

InvalidAlgorithmParameterException - if keystore does not contain at least one trusted certificate entry

NullPointerException - if keystore is null

Method from java.security.cert.PKIXBuilderParameters Summary:
getMaxPathLength, setMaxPathLength, toString

Methods from java.security.cert.PKIXParameters:
addCertPathChecker, addCertStore, clone, getCertPathCheckers, getCertStores, getDate, getInitialPolicies, getPolicyQualifiersRejected, getSigProvider, getTargetCertConstraints, getTrustAnchors, isAnyPolicyInhibited, isExplicitPolicyRequired, isPolicyMappingInhibited, isRevocationEnabled, setAnyPolicyInhibited, setCertPathCheckers, setCertStores, setDate, setExplicitPolicyRequired, setInitialPolicies, setPolicyMappingInhibited, setPolicyQualifiersRejected, setRevocationEnabled, setSigProvider, setTargetCertConstraints, setTrustAnchors, toString

Methods from java.security.cert.PKIXParameters:

addCertPathChecker, addCertStore, clone, getCertPathCheckers, getCertStores, getDate, getInitialPolicies, getPolicyQualifiersRejected, getSigProvider, getTargetCertConstraints, getTrustAnchors, isAnyPolicyInhibited, isExplicitPolicyRequired, isPolicyMappingInhibited, isRevocationEnabled, setAnyPolicyInhibited, setCertPathCheckers, setCertStores, setDate, setExplicitPolicyRequired, setInitialPolicies, setPolicyMappingInhibited, setPolicyQualifiersRejected, setRevocationEnabled, setSigProvider, setTargetCertConstraints, setTrustAnchors, toString

Methods from java.lang.Object:
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from java.security.cert.PKIXBuilderParameters Detail:
public int getMaxPathLength() { return maxPathLength; } Returns the value of the maximum number of intermediate non-self-issued certificates that may exist in a certification path. See the #setMaxPathLength method for more details.
public void setMaxPathLength(int maxPathLength) { if (maxPathLength < -1) { throw new InvalidParameterException("the maximum path " + "length parameter can not be less than -1"); } this.maxPathLength = maxPathLength; } Sets the value of the maximum number of non-self-issued intermediate certificates that may exist in a certification path. A certificate is self-issued if the DNs that appear in the subject and issuer fields are identical and are not empty. Note that the last certificate in a certification path is not an intermediate certificate, and is not included in this limit. Usually the last certificate is an end entity certificate, but it can be a CA certificate. A PKIX `CertPathBuilder` instance must not build paths longer than the length specified. A value of 0 implies that the path can only contain a single certificate. A value of -1 implies that the path length is unconstrained (i.e. there is no maximum). The default maximum path length, if not specified, is 5. Setting a value less than -1 will cause an exception to be thrown. If any of the CA certificates contain the `BasicConstraintsExtension`, the value of the `pathLenConstraint` field of the extension overrides the maximum path length parameter whenever the result is a certification path of smaller length.
public String toString() { StringBuffer sb = new StringBuffer(); sb.append("[\n"); sb.append(super.toString()); sb.append(" Maximum Path Length: " + maxPathLength + "\n"); sb.append("]\n"); return sb.toString(); } Returns a formatted string describing the parameters.

Method from java.security.cert.PKIXBuilderParameters Detail:

 public int getMaxPathLength() {
        return maxPathLength;
}

#setMaxPathLength

 public  void setMaxPathLength(int maxPathLength) {
        if (maxPathLength <  -1) {
            throw new InvalidParameterException("the maximum path "
                + "length parameter can not be less than -1");
        }
        this.maxPathLength = maxPathLength;
}

CertPathBuilder

A value of 0 implies that the path can only contain a single certificate. A value of -1 implies that the path length is unconstrained (i.e. there is no maximum). The default maximum path length, if not specified, is 5. Setting a value less than -1 will cause an exception to be thrown.

If any of the CA certificates contain the BasicConstraintsExtension, the value of the pathLenConstraint field of the extension overrides the maximum path length parameter whenever the result is a certification path of smaller length.

 public String toString() {
        StringBuffer sb = new StringBuffer();
        sb.append("[\n");
        sb.append(super.toString());
        sb.append("  Maximum Path Length: " + maxPathLength + "\n");
        sb.append("]\n");
        return sb.toString();
}

Returns a formatted string describing the parameters.