The CertPathValidator Class

Creating a CertPathValidator Object

As with all engine classes, the way to get a CertPathValidator object for a particular validation algorithm is to call one of the getInstance static factory methods on the CertPathValidator class:

public static CertPathValidator getInstance(String algorithm)

public static CertPathValidator getInstance(String algorithm,String provider)

public static CertPathValidator getInstance(String algorithm,Provider provider)

The algorithm parameter is the name of a certification path validation algorithm (for example, "PKIX"). Standard CertPathValidator algorithm names are listed in Appendix A.

Validating a Certification Path

After a CertPathValidator object is created, paths can be validated by calling the validate method, passing to it the certification path to be validated and a set of algorithm-specific parameters:

  public final CertPathValidatorResult
          validate(CertPath certPath, CertPathParameters params)
          throws CertPathValidatorException,
                InvalidAlgorithmParameterException

If the validation algorithm is successful, the result is returned in an object implementing the CertPathValidatorResult interface. Otherwise, a CertPathValidatorException is thrown. The CertPathValidatorException contains methods that return the CertPath, and if relevant, the index of the certificate that caused the algorithm to fail and the root exception or cause of the failure.

Note that the CertPath and CertPathParameters passed to the validate method must be of a type that is supported by the validation algorithm. Otherwise, an InvalidAlgorithmParameterException is thrown. For example, a CertPathValidator instance that implements the PKIX algorithm validates CertPath objects of type X.509 and CertPathParameters that are an instance of PKIXParameters.

The PKIXRevocationChecker class is a vehicle for passing additional parameters to the CertPathValidator class. For more information, see The PKIXRevocationChecker Class.