public abstract class PKIXCertPathChecker extends Object implements CertPathChecker, Cloneable
A concrete implementation of the
can be created to extend the PKIX certification path validation algorithm.
For example, an implementation may check for and process a critical private
extension of each certificate in a certification path.
PKIXCertPathChecker are passed as parameters
class. Each of the
methods will be called, in turn, for each certificate processed by a PKIX
PKIXCertPathChecker may be called multiple times on
successive certificates in a certification path. Concrete subclasses
are expected to maintain any internal state that may be necessary to
check successive certificates. The
init method is used
to initialize the internal state of the checker so that the certificates
of a new certification path may be checked. A stateful implementation
must override the
clone method if necessary in
order to allow a PKIX
CertPathBuilder to efficiently
backtrack and try other paths. In these situations, the
CertPathBuilder is able to restore prior path validation
states by restoring the cloned
The order in which the certificates are presented to the
PKIXCertPathChecker may be either in the forward direction
(from target to most-trusted CA) or in the reverse direction (from
most-trusted CA to target). A
must support reverse checking (the ability to perform its checks when
it is presented with certificates in the reverse direction) and may
support forward checking (the ability to perform its checks when it is
presented with certificates in the forward direction). The
indicates whether forward checking is supported.
Additional input parameters required for executing the check may be specified through constructors of concrete implementations of this class.
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
|Modifier||Constructor and Description|
|Modifier and Type||Method and Description|
Performs the check(s) on the specified certificate using its internal state.
Performs the check(s) on the specified certificate using its internal state and removes any critical extensions that it processes from the specified collection of OID strings that represent the unresolved critical extensions.
Returns a clone of this object.
Returns an immutable
Initializes the internal state of this
Indicates if forward checking is supported.
public abstract void init(boolean forward) throws CertPathValidatorException
forward flag specifies the order that
certificates will be passed to the
(forward or reverse). A
support reverse checking and may support forward checking.
forward- the order that certificates are presented to the
true, certificates are presented from target to most-trusted CA (forward); if
false, from most-trusted CA to target (reverse).
CertPathValidatorException- if this
PKIXCertPathCheckeris unable to check certificates in the specified order; it should never be thrown if the forward flag is false since reverse checking must be supported
public abstract boolean isForwardCheckingSupported()
PKIXCertPathCheckerto perform its checks when certificates are presented to the
checkmethod in the forward direction (from target to most-trusted CA).
Setof X.509 certificate extensions that this
PKIXCertPathCheckersupports (i.e. recognizes, is able to process), or
nullif no extensions are supported.
Each element of the set is a
String representing the
Object Identifier (OID) of the X.509 extension that is supported.
The OID is represented by a set of nonnegative integers separated by
All X.509 certificate extensions that a
might possibly be able to process should be included in the set.
Setof X.509 extension OIDs (in
Stringformat) supported by this
nullif no extensions are supported
public abstract void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException
Certificateto be checked
Collectionof OID strings representing the current set of unresolved critical extensions
CertPathValidatorException- if the specified certificate does not pass the check
public void check(Certificate cert) throws CertPathValidatorException
This implementation calls
Submit a bug or feature
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
Copyright © 1993, 2017, Oracle and/or its affiliates. All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.