Cloneable
, CertPathChecker
PKIXRevocationChecker
public abstract class PKIXCertPathChecker extends Object implements CertPathChecker, Cloneable
X509Certificate
. A concrete implementation of the PKIXCertPathChecker
class can be created to extend the PKIX certification path validation algorithm. For example, an implementation may check for and process a critical private extension of each certificate in a certification path.
Instances of PKIXCertPathChecker
are passed as parameters using the setCertPathCheckers
or addCertPathChecker
methods of the PKIXParameters
and PKIXBuilderParameters
class. Each of the PKIXCertPathChecker
s check
methods will be called, in turn, for each certificate processed by a PKIX CertPathValidator
or CertPathBuilder
implementation.
A PKIXCertPathChecker
may be called multiple times on successive certificates in a certification path. Concrete subclasses are expected to maintain any internal state that may be necessary to check successive certificates. The init
method is used to initialize the internal state of the checker so that the certificates of a new certification path may be checked. A stateful implementation must override the clone
method if necessary in order to allow a PKIX CertPathBuilder
to efficiently backtrack and try other paths. In these situations, the CertPathBuilder
is able to restore prior path validation states by restoring the cloned PKIXCertPathChecker
s.
The order in which the certificates are presented to the PKIXCertPathChecker
may be either in the forward direction (from target to most-trusted CA) or in the reverse direction (from most-trusted CA to target). A PKIXCertPathChecker
implementation must support reverse checking (the ability to perform its checks when it is presented with certificates in the reverse direction) and may support forward checking (the ability to perform its checks when it is presented with certificates in the forward direction). The isForwardCheckingSupported
method indicates whether forward checking is supported.
Additional input parameters required for executing the check may be specified through constructors of concrete implementations of this class.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
Modifier | Constructor | Description |
---|---|---|
protected |
Default constructor. |
Modifier and Type | Method | Description |
---|---|---|
void |
check |
Performs the check(s) on the specified certificate using its internal state. |
abstract void |
check |
Performs the check(s) on the specified certificate using its internal state and removes any critical extensions that it processes from the specified collection of OID strings that represent the unresolved critical extensions. |
Object |
clone() |
Returns a clone of this object. |
abstract Set |
getSupportedExtensions() |
Returns an immutable Set of X.509 certificate extensions that this PKIXCertPathChecker supports (i.e. recognizes, is able to process), or null if no extensions are supported. |
abstract void |
init |
Initializes the internal state of this PKIXCertPathChecker . |
abstract boolean |
isForwardCheckingSupported() |
Indicates if forward checking is supported. |
protected PKIXCertPathChecker()
public abstract void init(boolean forward) throws CertPathValidatorException
PKIXCertPathChecker
. The forward
flag specifies the order that certificates will be passed to the check
method (forward or reverse). A PKIXCertPathChecker
must support reverse checking and may support forward checking.
init
in interface CertPathChecker
forward
- the order that certificates are presented to the check
method. If true
, certificates are presented from target to most-trusted CA (forward); if false
, from most-trusted CA to target (reverse).CertPathValidatorException
- if this PKIXCertPathChecker
is unable to check certificates in the specified order; it should never be thrown if the forward flag is false since reverse checking must be supportedpublic abstract boolean isForwardCheckingSupported()
PKIXCertPathChecker
to perform its checks when certificates are presented to the check
method in the forward direction (from target to most-trusted CA).isForwardCheckingSupported
in interface CertPathChecker
true
if forward checking is supported, false
otherwisepublic abstract Set<String> getSupportedExtensions()
Set
of X.509 certificate extensions that this PKIXCertPathChecker
supports (i.e. recognizes, is able to process), or null
if no extensions are supported. Each element of the set is a String
representing the Object Identifier (OID) of the X.509 extension that is supported. The OID is represented by a set of nonnegative integers separated by periods.
All X.509 certificate extensions that a PKIXCertPathChecker
might possibly be able to process should be included in the set.
Set
of X.509 extension OIDs (in String
format) supported by this PKIXCertPathChecker
, or null
if no extensions are supportedpublic abstract void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException
init
method.cert
- the Certificate
to be checkedunresolvedCritExts
- a Collection
of OID strings representing the current set of unresolved critical extensionsCertPathValidatorException
- if the specified certificate does not pass the checkpublic void check(Certificate cert) throws CertPathValidatorException
init
method. This implementation calls check(cert, java.util.Collections.<String>emptySet())
.
check
in interface CertPathChecker
cert
- the Certificate
to be checkedCertPathValidatorException
- if the specified certificate does not pass the checkpublic Object clone()
Object.clone()
method. All subclasses which maintain state must support and override this method, if necessary.
© 1993, 2023, Oracle and/or its affiliates. All rights reserved.
Documentation extracted from Debian's OpenJDK Development Kit package.
Licensed under the GNU General Public License, version 2, with the Classpath Exception.
Various third party code in OpenJDK is licensed under different licenses (see Debian package).
Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/cert/PKIXCertPathChecker.html