CertPathBuilder

The "IBMCertPath" provider supplies a PKIX implementation of the CertPathBuilder engine class. The implementation builds CertPaths of type X.509. Each CertPath is validated according to the PKIX algorithm defined in RFC 3280: PKIX Certificate and CRL Profile.

The implementation requires that the targetConstraints parameter of a PKIXBuilderParameters object be an instance of X509CertSelector, and at least the target subject name must be set in the targetConstraints parameter. Otherwise the build method throws an InvalidAlgorithmParameterException.

The implementation builds CertPath objects in a forward direction using a depth-first algorithm. It backtracks to previous states and tries alternate paths when a potential path is determined to be not valid or exceeds the PKIXBuilderParameters maxPathLength parameter.

Validation of the path is performed in the same manner as the CertPathValidator implementation. The implementation validates most of the path as it is being built, to eliminate earlier in the process paths that are not valid.