- java.lang.Object
- 
- java.security.cert.PKIXCertPathChecker
 
- 
- All Implemented Interfaces:
- Cloneable,- CertPathChecker
 - Direct Known Subclasses:
- PKIXRevocationChecker
 
 public abstract class PKIXCertPathChecker extends Object implements CertPathChecker, Cloneable An abstract class that performs one or more checks on anX509Certificate.A concrete implementation of the PKIXCertPathCheckerclass can be created to extend the PKIX certification path validation algorithm. For example, an implementation may check for and process a critical private extension of each certificate in a certification path.Instances of PKIXCertPathCheckerare passed as parameters using thesetCertPathCheckersoraddCertPathCheckermethods of thePKIXParametersandPKIXBuilderParametersclass. Each of thePKIXCertPathCheckerscheckmethods will be called, in turn, for each certificate processed by a PKIXCertPathValidatororCertPathBuilderimplementation.A PKIXCertPathCheckermay be called multiple times on successive certificates in a certification path. Concrete subclasses are expected to maintain any internal state that may be necessary to check successive certificates. Theinitmethod is used to initialize the internal state of the checker so that the certificates of a new certification path may be checked. A stateful implementation must override theclonemethod if necessary in order to allow a PKIXCertPathBuilderto efficiently backtrack and try other paths. In these situations, theCertPathBuilderis able to restore prior path validation states by restoring the clonedPKIXCertPathCheckers.The order in which the certificates are presented to the PKIXCertPathCheckermay be either in the forward direction (from target to most-trusted CA) or in the reverse direction (from most-trusted CA to target). APKIXCertPathCheckerimplementation must support reverse checking (the ability to perform its checks when it is presented with certificates in the reverse direction) and may support forward checking (the ability to perform its checks when it is presented with certificates in the forward direction). TheisForwardCheckingSupportedmethod indicates whether forward checking is supported.Additional input parameters required for executing the check may be specified through constructors of concrete implementations of this class. Concurrent Access Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize. - Since:
- 1.4
- See Also:
- PKIXParameters,- PKIXBuilderParameters
 
- 
- 
Constructor SummaryConstructors Modifier Constructor Description protectedPKIXCertPathChecker()Default constructor.
 - 
Method SummaryAll Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description voidcheck(Certificate cert)Performs the check(s) on the specified certificate using its internal state.abstract voidcheck(Certificate cert, Collection<String> unresolvedCritExts)Performs the check(s) on the specified certificate using its internal state and removes any critical extensions that it processes from the specified collection of OID strings that represent the unresolved critical extensions.Objectclone()Returns a clone of this object.abstract Set<String>getSupportedExtensions()Returns an immutableSetof X.509 certificate extensions that thisPKIXCertPathCheckersupports (i.e. recognizes, is able to process), ornullif no extensions are supported.abstract voidinit(boolean forward)Initializes the internal state of thisPKIXCertPathChecker.abstract booleanisForwardCheckingSupported()Indicates if forward checking is supported.
 
- 
- 
- 
Method Detail- 
initpublic abstract void init(boolean forward) throws CertPathValidatorExceptionInitializes the internal state of thisPKIXCertPathChecker.The forwardflag specifies the order that certificates will be passed to thecheckmethod (forward or reverse). APKIXCertPathCheckermust support reverse checking and may support forward checking.- Specified by:
- initin interface- CertPathChecker
- Parameters:
- forward- the order that certificates are presented to the- checkmethod. If- true, certificates are presented from target to most-trusted CA (forward); if- false, from most-trusted CA to target (reverse).
- Throws:
- CertPathValidatorException- if this- PKIXCertPathCheckeris unable to check certificates in the specified order; it should never be thrown if the forward flag is false since reverse checking must be supported
 
 - 
isForwardCheckingSupportedpublic abstract boolean isForwardCheckingSupported() Indicates if forward checking is supported. Forward checking refers to the ability of thePKIXCertPathCheckerto perform its checks when certificates are presented to thecheckmethod in the forward direction (from target to most-trusted CA).- Specified by:
- isForwardCheckingSupportedin interface- CertPathChecker
- Returns:
- trueif forward checking is supported,- falseotherwise
 
 - 
getSupportedExtensionspublic abstract Set<String> getSupportedExtensions() Returns an immutableSetof X.509 certificate extensions that thisPKIXCertPathCheckersupports (i.e. recognizes, is able to process), ornullif no extensions are supported.Each element of the set is a Stringrepresenting the Object Identifier (OID) of the X.509 extension that is supported. The OID is represented by a set of nonnegative integers separated by periods.All X.509 certificate extensions that a PKIXCertPathCheckermight possibly be able to process should be included in the set.- Returns:
- an immutable Setof X.509 extension OIDs (inStringformat) supported by thisPKIXCertPathChecker, ornullif no extensions are supported
 
 - 
checkpublic abstract void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException Performs the check(s) on the specified certificate using its internal state and removes any critical extensions that it processes from the specified collection of OID strings that represent the unresolved critical extensions. The certificates are presented in the order specified by theinitmethod.- Parameters:
- cert- the- Certificateto be checked
- unresolvedCritExts- a- Collectionof OID strings representing the current set of unresolved critical extensions
- Throws:
- CertPathValidatorException- if the specified certificate does not pass the check
 
 - 
checkpublic void check(Certificate cert) throws CertPathValidatorException Performs the check(s) on the specified certificate using its internal state. The certificates are presented in the order specified by theinitmethod.This implementation calls check(cert, java.util.Collections.<String>emptySet()).- Specified by:
- checkin interface- CertPathChecker
- Parameters:
- cert- the- Certificateto be checked
- Throws:
- CertPathValidatorException- if the specified certificate does not pass the check
 
 
- 
 
-