How a PKIX Service Provider implementation should use a PKIXCertPathChecker
Each
PKIXCertPathChecker
object must be initialized by a service provider
implementation before commencing the build or validation algorithm, for
example:List checkers = params.getCertPathCheckers();
ListIterator li = checkers.listIterator();
while (li.hasNext()) {
PKIXCertPathChecker checker = (PKIXCertPathChecker) li.next();
checker.init(false);
}
For each certificate that it validates, the service provider implementation must call the
check
method of each PKIXCertPathChecker
object in turn, passing
it the certificate and any remaining unresolved critical
extensions:ListIterator li = checkers.listIterator();
while (li.hasNext()) {
PKIXCertPathChecker checker = (PKIXCertPathChecker) li.next();
checker.check(cert, unresolvedCritExts);
}
If any of the
check
s throw a CertPathValidatorException
, a
CertPathValidator
implementation should terminate the validation procedure.
However, a CertPathBuilder
implementation may simply log the failure and continue
to search for other potential paths. If all of the check
s are successful, the
service provider implementation should check that all critical extensions have been resolved and if
not, consider the validation to have failed. For
example:if (unresolvedCritExts != null &&
!unresolvedCritExts.isEmpty())
{
// note that a CertPathBuilder may have an enclosing
// try block to catch the following exception and continue on error
throw new CertPathValidatorException("Unrecognized Critical Extension");
}
As discussed in the previous section, a
CertPathBuilder
implementation may need to backtrack when a potential certification
path reaches a dead end or point of failure. Backtracking in this
context implies returning to the previous certificate in the path
and checking for other potential paths. If the CertPathBuilder
implementation is validating the path as it is building it, it will
need to restore the previous state of each PKIXCertPathChecker
. It can do this by making clones of the PKIXCertPathChecker
objects before each certificate is processed, for example:/* clone checkers */
List newList = new ArrayList(checkers);
ListIterator li = newList.listIterator();
while (li.hasNext()) {
PKIXCertPathChecker checker = (PKIXCertPathChecker) li.next();
li.set(checker.clone());
}