java.security.cert
Class PKIXBuilderParameters
- java.lang.Object
java.security.cert.PKIXParameters
java.security.cert.PKIXBuilderParameters
- public class PKIXBuilderParameters
- extends PKIXParameters
CertPathBuilder
algorithm.
A PKIX CertPathBuilder
uses these parameters to build
a CertPath
which has been
validated according to the PKIX certification path validation algorithm.
To instantiate a PKIXBuilderParameters
object, an
application must specify one or more most-trusted CAs as defined by
the PKIX certification path validation algorithm. The most-trusted CA
can be specified using one of two constructors. An application
can call PKIXBuilderParameters(Set, CertSelector)
, specifying a
Set
of TrustAnchor
objects, each of which
identifies a most-trusted CA. Alternatively, an application can call
PKIXBuilderParameters(KeyStore, CertSelector)
, specifying a
KeyStore
instance containing trusted certificate entries, each
of which will be considered as a most-trusted CA.
In addition, an application must specify constraints on the target
certificate that the CertPathBuilder
will attempt
to build a path to. The constraints are specified as a
CertSelector
object. These constraints should provide the
CertPathBuilder
with enough search criteria to find the target
certificate. Minimal criteria for an X509Certificate
usually
include the subject name and/or one or more subject alternative names.
If enough criteria is not specified, the CertPathBuilder
may throw a CertPathBuilderException
.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
Constructor Summary
Constructor and Description |
---|
PKIXBuilderParameters(KeyStore keystore,CertSelector targetConstraints)
Creates an instance of
PKIXBuilderParameters that populates
the set of most-trusted CA certificates from the trusted certificate entries
contained in the specified KeyStore .
|
PKIXBuilderParameters(Set<TrustAnchor> trustAnchors,CertSelector targetConstraints)
Creates an instance of
PKIXBuilderParameters with the specified
Set of most-trusted CAs.
|
Method Summary
Modifier and Type | Method and Description |
---|---|
|
getMaxPathLength()
Returns the value of the maximum number of intermediate non-self-issued
certificates that may exist in a certification path.
|
|
setMaxPathLength(int maxPathLength)
Sets the value of the maximum number of non-self-issued intermediate
certificates that may exist in a certification path.
|
toString()
Returns a formatted string describing the parameters.
|
Methods inherited from class java.lang.Object |
---|
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Constructor Detail
PKIXBuilderParameters
- public PKIXBuilderParameters(Set<TrustAnchor> trustAnchors,
- CertSelector targetConstraints)
- throws InvalidAlgorithmParameterException
trustAnchors
- a Set
of TrustAnchor
s targetConstraints
- a CertSelector
specifying the constraints
on the target certificate ClassCastException
- if any of the elements in the set are not of type
java.security.cert.TrustAnchor NullPointerException
- if the trustAnchors set is null InvalidAlgorithmParameterException
- if the trustAnchor
s set is empty (trustAnchors.isEmpty() == true)
PKIXBuilderParameters
- public PKIXBuilderParameters(KeyStore keystore,
- CertSelector targetConstraints)
- throws KeyStoreException
- InvalidAlgorithmParameterException
PKIXBuilderParameters
that populates
the set of most-trusted CA certificates from the trusted certificate entries
contained in the specified KeyStore
. Only keystore entries
that contain trusted X509Certificates
are considered; all other
certificate types are ignored.
keystore
- A KeyStore
from which the set of most-trusted CA
certificates will be populated. targetConstraints
- a CertSelector
specifying the constraints
on the target certificate KeyStoreException
- if the keystore has not been initialized NullPointerException
- if the keystore is null
InvalidAlgorithmParameterException
- if the keystore is empty Method Detail
setMaxPathLength
- public void setMaxPathLength(int maxPathLength)
CertPathBuilder
instance must not build
paths longer than the length specified.
A value of 0 implies that the path can only contain a single certificate. A value of -1 implies that the path length is unconstrained (i.e. there is no maximum). The default maximum path length, if not specified, is 5. Setting a value less than -1 will cause an exception to be thrown.
If any of the CA certificates contain the
BasicConstraintsExtension
, the value of the
pathLenConstraint
field of the extension overrides
the maximum path length parameter whenever the result is a
certification path of smaller length.
maxPathLength
- the maximum number of non-self-issued intermediate
certificates that may exist in a certification path InvalidParameterException
- if the maximum path length
parameter is set to a value less than -1 getMaxPathLength
- public int getMaxPathLength()
setMaxPathLength(int)
method for more details.
toString
- public String toString()
toString
in class PKIXParameters
PKIXBuilderParameters
with the specifiedSet
of most-trusted CAs. Each element of the set is aTrustAnchor
.Note that the
Set
is copied to protect against subsequent modifications.