The PKIXCertPathChecker Class

The PKIXCertPathChecker class is a powerful class that allows a user to extend a PKIX CertPathValidator or CertPathBuilder implementation. This class is an advanced feature that you might not need. However, if you are implementing a PKIX service provider, you should be familiar with this class.

The PKIXCertPathChecker class is an abstract class that executes one or more checks on an X.509 certificate. Developers should create concrete implementations of the PKIXCertPathChecker class when it is necessary to dynamically extend a PKIX CertPathValidator or CertPathBuilder implementation at run time. The following examples explains when a PKIXCertPathChecker implementation might be useful:

• If the revocation mechanism supplied by a PKIX CertPathValidator or CertPathBuilder implementation is not adequate. For example, a developer might implement a PKIXCertPathChecker that uses OCSP (RFC 2560) to check that certificates have not been revoked.
• If you want to recognize certificates containing a critical private extension. Because the extension is private, it will not be recognized by the PKIX CertPathValidator or CertPathBuilder implementation and a CertPathValidatorException will be thrown. In this case, a developer can implement a PKIXCertPathChecker that recognizes and processes the critical private extension.
• If you want to record information about each certificate processed for debugging or display purposes.
• If you want to reject certificates with certain policy qualifiers.

The setCertPathCheckers method of the PKIXParameters class allows a user to pass a List of PKIXCertPathChecker objects to a PKIX CertPathValidator or CertPathBuilder implementation. Each of the PKIXCertPathChecker objects will be called in turn, for each certificate processed by the PKIX CertPathValidator or CertPathBuilder implementation.