CertPathValidator

The "IBMCertPath" provider supplies a PKIX implementation of the CertPathValidator engine class. The implementation validates CertPaths of type X.509 and implements the certification path validation algorithm defined in RFC 3280: PKIX Certificate and CRL Profile.

The PKIX Certificate and CRL Profile have many optional features. The "IBMCertPath" provider implements support for the key usage extensions, certificate policies, basic constraints, name constraints, policy constraints, policy mapping extension, extended key usage field, inhibit any-policy extension, CRL distribution points and the reason code CRL entry extension. It does not implement support for the subject information access certificate extension, and it implements only limited support for the authority information access certificate extension (refer to the description of the com.ibm.security.enableAIAEXT system property). It also does not include support for the freshest CRL, and hold instruction code CRL entry extensions. The checking for CRL distribution points extension is disabled by default and can be enabled by setting the system property com.ibm.security.enableCRLDP to the value true. The active CRLs will be retrieved for the locations specified in the extension if the distribution point specifies a fullName of type URI.

The implementation supports a certification path validation mechanism that conforms to section 6.1 of the PKIX Certificate and CRL Profile. An application must at least specify TrustAnchor in a PKIXParameters object to verify the path.

The implementation also supports a CRL revocation checking mechanism that conforms to section 6.3 of the PKIX Certificate and CRL Profile. The revocation checking is enabled by default. When the revocation checking is enabled, an application may specify one or more CertStores containing CRLs in a PKIXParameters object. For each certificate in the CertPath, the CertPathValidatorsearches the specified CertStores for applicable CRLs. If that cannot determine a certificate's revocation status, the information from a CRL distribution points extension will be retrieved and used to further identify the certificate's revocation status. An undetermined revocation status will cause a failure when the validation check is returned. OCSP (RFC 2560) is not currently supported as a built-in revocation checking mechanism.