How a PKIX Service Provider implementation should use a PKIXCertPathChecker

Each PKIXCertPathChecker object must be initialized by a service provider implementation before commencing the build or validation algorithm, for example:
List checkers = params.getCertPathCheckers();
ListIterator li = checkers.listIterator();

while (li.hasNext()) {
    PKIXCertPathChecker checker = (PKIXCertPathChecker) li.next();
    checker.init(false);
}
For each certificate that it validates, the service provider implementation must call the check method of each PKIXCertPathChecker object in turn, passing it the certificate and any remaining unresolved critical extensions:
ListIterator li = checkers.listIterator();
while (li.hasNext()) {
    PKIXCertPathChecker checker = (PKIXCertPathChecker) li.next();
    checker.check(cert, unresolvedCritExts);
}
If any of the checks throw a CertPathValidatorException, a CertPathValidator implementation should terminate the validation procedure. However, a CertPathBuilder implementation may simply log the failure and continue to search for other potential paths. If all of the checks are successful, the service provider implementation should check that all critical extensions have been resolved and if not, consider the validation to have failed. For example:
if (unresolvedCritExts != null &&
    !unresolvedCritExts.isEmpty())
{
         // note that a CertPathBuilder may have an enclosing
         // try block to catch the following exception and continue on error
    throw new CertPathValidatorException("Unrecognized Critical Extension");
}
As discussed in the previous section, a CertPathBuilder implementation may need to backtrack when a potential certification path reaches a dead end or point of failure. Backtracking in this context implies returning to the previous certificate in the path and checking for other potential paths. If the CertPathBuilder implementation is validating the path as it is building it, it will need to restore the previous state of each PKIXCertPathChecker. It can do this by making clones of the PKIXCertPathChecker objects before each certificate is processed, for example:
/* clone checkers */

List newList = new ArrayList(checkers);
ListIterator li = newList.listIterator();

while (li.hasNext()) {
   PKIXCertPathChecker checker = (PKIXCertPathChecker) li.next();
   li.set(checker.clone());
}