public class PKIXBuilderParameters extends PKIXParameters
CertPathBuilder
algorithm.
A PKIX CertPathBuilder
uses these parameters to build
a CertPath
which has been
validated according to the PKIX certification path validation algorithm.
To instantiate a PKIXBuilderParameters
object, an
application must specify one or more most-trusted CAs as defined by
the PKIX certification path validation algorithm. The most-trusted CA
can be specified using one of two constructors. An application
can call PKIXBuilderParameters(Set, CertSelector)
, specifying a
Set
of TrustAnchor
objects, each of which
identifies a most-trusted CA. Alternatively, an application can call
PKIXBuilderParameters(KeyStore, CertSelector)
, specifying a
KeyStore
instance containing trusted certificate entries, each
of which will be considered as a most-trusted CA.
In addition, an application must specify constraints on the target
certificate that the CertPathBuilder
will attempt
to build a path to. The constraints are specified as a
CertSelector
object. These constraints should provide the
CertPathBuilder
with enough search criteria to find the target
certificate. Minimal criteria for an X509Certificate
usually
include the subject name and/or one or more subject alternative names.
If enough criteria is not specified, the CertPathBuilder
may throw a CertPathBuilderException
.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
CertPathBuilder
Constructor and Description |
---|
PKIXBuilderParameters(KeyStore keystore,
CertSelector targetConstraints)
Creates an instance of
PKIXBuilderParameters that
populates the set of most-trusted CAs from the trusted
certificate entries contained in the specified KeyStore . |
PKIXBuilderParameters(Set<TrustAnchor> trustAnchors,
CertSelector targetConstraints)
Creates an instance of
PKIXBuilderParameters with
the specified Set of most-trusted CAs. |
Modifier and Type | Method and Description |
---|---|
int |
getMaxPathLength()
Returns the value of the maximum number of intermediate non-self-issued
certificates that may exist in a certification path.
|
void |
setMaxPathLength(int maxPathLength)
Sets the value of the maximum number of non-self-issued intermediate
certificates that may exist in a certification path.
|
String |
toString()
Returns a formatted string describing the parameters.
|
addCertPathChecker, addCertStore, clone, getCertPathCheckers, getCertStores, getDate, getInitialPolicies, getPolicyQualifiersRejected, getSigProvider, getTargetCertConstraints, getTrustAnchors, isAnyPolicyInhibited, isExplicitPolicyRequired, isPolicyMappingInhibited, isRevocationEnabled, setAnyPolicyInhibited, setCertPathCheckers, setCertStores, setDate, setExplicitPolicyRequired, setInitialPolicies, setPolicyMappingInhibited, setPolicyQualifiersRejected, setRevocationEnabled, setSigProvider, setTargetCertConstraints, setTrustAnchors
public PKIXBuilderParameters(Set<TrustAnchor> trustAnchors, CertSelector targetConstraints) throws InvalidAlgorithmParameterException
PKIXBuilderParameters
with
the specified Set
of most-trusted CAs.
Each element of the set is a TrustAnchor
.
Note that the Set
is copied to protect against
subsequent modifications.
trustAnchors
- a Set
of TrustAnchor
stargetConstraints
- a CertSelector
specifying the
constraints on the target certificateInvalidAlgorithmParameterException
- if trustAnchors
is empty (trustAnchors.isEmpty() == true)
NullPointerException
- if trustAnchors
is
null
ClassCastException
- if any of the elements of
trustAnchors
are not of type
java.security.cert.TrustAnchor
public PKIXBuilderParameters(KeyStore keystore, CertSelector targetConstraints) throws KeyStoreException, InvalidAlgorithmParameterException
PKIXBuilderParameters
that
populates the set of most-trusted CAs from the trusted
certificate entries contained in the specified KeyStore
.
Only keystore entries that contain trusted X509Certificate
s
are considered; all other certificate types are ignored.keystore
- a KeyStore
from which the set of
most-trusted CAs will be populatedtargetConstraints
- a CertSelector
specifying the
constraints on the target certificateKeyStoreException
- if keystore
has not been
initializedInvalidAlgorithmParameterException
- if keystore
does
not contain at least one trusted certificate entryNullPointerException
- if keystore
is
null
public void setMaxPathLength(int maxPathLength)
CertPathBuilder
instance must not build
paths longer than the length specified.
A value of 0 implies that the path can only contain a single certificate. A value of -1 implies that the path length is unconstrained (i.e. there is no maximum). The default maximum path length, if not specified, is 5. Setting a value less than -1 will cause an exception to be thrown.
If any of the CA certificates contain the
BasicConstraintsExtension
, the value of the
pathLenConstraint
field of the extension overrides
the maximum path length parameter whenever the result is a
certification path of smaller length.
maxPathLength
- the maximum number of non-self-issued intermediate
certificates that may exist in a certification pathInvalidParameterException
- if maxPathLength
is set
to a value less than -1getMaxPathLength()
public int getMaxPathLength()
setMaxPathLength(int)
method for more details.setMaxPathLength(int)
public String toString()
toString
in class PKIXParameters
Submit a bug or feature
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
Copyright © 1993, 2022, Oracle and/or its affiliates. All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.