The PKIXParameters Class
This class (which implements the CertPathParameters interface) specifies the set of input parameters defined by the PKIX certification path validation algorithm. It also includes a few additional useful parameters.
An X.509 CertPath
object and a PKIXParameters
object
are passed as arguments to the validate
method of
a CertPathValidator instance
implementing the PKIX algorithm. The CertPathValidator
uses
the parameters to initialize the PKIX certification path validation
algorithm.
Creating a PKIXParameters Object
PKIXParameters
object, a caller must specify "the most-trusted
CA(s)" as defined by the PKIX validation algorithm. The most-trusted CAs can be specified using one
of two
constructors:public PKIXParameters(Set trustAnchors)
throws InvalidAlgorithmParameterException
public PKIXParameters(KeyStore keystore)
throws KeyStoreException, InvalidAlgorithmParameterException
The first constructor allows the caller to specify
the most-trusted CAs as a Set
of TrustAnchor
objects.
Alternatively, a caller can use the second constructor and specify
a KeyStore
instance containing trusted certificate
entries, each of which will be considered as a most-trusted CA.
Setting Parameter Values
After a PKIXParameters
object
has been created, a caller can set (or replace the current value of)
various parameters. A few of the methods for setting parameters are
described here. Refer to the PKIXParameters API
documentation for details on the other methods.
The setInitialPolicies
method
sets the initial policy identifiers, as specified by the PKIX validation
algorithm. The elements of the Set
are object identifiers
(OIDs) represented as a String
. If the initialPolicies
parameter
is null or not set, any policy is acceptable:
public void setInitialPolicies(Set initialPolicies)
The setDate
method sets the time for
which the validity of the path should be determined. If the date
parameter
is not set or is null, the current date is used:
public void setDate(Date date)
The setPolicyMappingInhibited
method
sets the value of the policy mapping inhibited flag. The default value
for the flag, if not specified, is false:
public void setPolicyMappingInhibited(boolean val)
The setExplicitPolicyRequired
method
sets the value of the explicit policy required flag. The default value
for the flag, if not specified, is false:
public void setExplicitPolicyRequired(boolean val)
The setAnyPolicyInhibited
method sets
the value of the any policy inhibited flag. The default value for
the flag, if not specified, is false:
public void setAnyPolicyInhibited(boolean val)
The setTargetCertConstraints
method
allows the caller to set constraints on the target or end-entity certificate.
For example, the caller can specify that the target certificate must
contain a specific subject name. The constraints are specified as
a CertSelector
object. If the selector
parameter
is null or not set, no constraints are defined on the target certificate:
public void setTargetCertConstraints(CertSelector selector)
The setCertStores
method allows a
caller to specify a List
of CertStore
objects
that will be used by a PKIX implementation of CertPathValidator
to
find CRLs for path validation. This provides an extensible mechanism
for specifying where to locate CRLs. The setCertStores
method
takes a List
of CertStore
objects
as a parameter. The first CertStore
in the list may
be preferred to those that appear later.
public void setCertStores(List stores)
The setCertPathCheckers
method allows
a caller to extend the PKIX validation algorithm by creating implementation-specific
certification path checkers. For example, this mechanism can be used
to process private certificate extensions. The setCertPathCheckers
method
takes a list of PKIXCertPathChecker (discussed
later) objects as a parameter:
public void setCertPathCheckers(List checkers)
The setRevocationEnabled
method allows
a caller to disable revocation checking. Revocation checking is enabled
by default, because it is a required check of the PKIX validation
algorithm. However, PKIX does not define how revocation should be
checked. An implementation may use CRLs or OCSP, for example. This
method allows the caller to disable the implementation's default revocation
checking mechanism if it is not appropriate. A different revocation
checking mechanism can then be specified by calling the setCertPathCheckers
method,
and passing it a PKIXCertPathChecker
that implements
the alternate mechanism.
public void setRevocationEnabled(boolean val)
The setPolicyQualifiersRejected
method
allows a caller to enable or disable policy qualifier processing.
When a PKIXParameters
object is created, this flag
is set to true
. This setting reflects the most common
(and simplest) strategy for processing policy qualifiers. Applications
that want to use a more sophisticated policy must set this flag to false
.
public void setPolicyQualifiersRejected(boolean qualifiersRejected)
Getting Parameter Values
The current values
for each of the parameters can be retrieved using an appropriate get
method.
Refer to the PKIXParameters API
documentation for further details on these methods.