Added in API level 1

PKIXParameters

open class PKIXParameters : CertPathParameters
kotlin.Any
   ↳ java.security.cert.PKIXParameters

Parameters used as input for the PKIX CertPathValidator algorithm.

A PKIX CertPathValidator uses these parameters to validate a CertPath according to the PKIX certification path validation algorithm.

To instantiate a PKIXParameters object, an application must specify one or more most-trusted CAs as defined by the PKIX certification path validation algorithm. The most-trusted CAs can be specified using one of two constructors. An application can call PKIXParameters(Set), specifying a Set of TrustAnchor objects, each of which identify a most-trusted CA. Alternatively, an application can call PKIXParameters(KeyStore), specifying a KeyStore instance containing trusted certificate entries, each of which will be considered as a most-trusted CA.

Once a PKIXParameters object has been created, other parameters can be specified (by calling setInitialPolicies or setDate, for instance) and then the PKIXParameters is passed along with the CertPath to be validated to CertPathValidator.validate.

Any parameter that is not set (or is set to null) will be set to the default value for that parameter. The default value for the date parameter is null, which indicates the current time when the path is validated. The default for the remaining parameters is the least constrained.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Summary

Public constructors

Creates an instance of PKIXParameters that populates the set of most-trusted CAs from the trusted certificate entries contained in the specified KeyStore.

Creates an instance of PKIXParameters with the specified Set of most-trusted CAs.

Public methods
open Unit

Adds a PKIXCertPathChecker to the list of certification path checkers.

open Unit

Adds a CertStore to the end of the list of CertStores used in finding certificates and CRLs.

open Any

Makes a copy of this PKIXParameters object.

open MutableList<PKIXCertPathChecker!>!

Returns the List of certification path checkers.

open MutableList<CertStore!>!

Returns an immutable List of CertStores that are used to find certificates and CRLs.

open Date!

Returns the time for which the validity of the certification path should be determined.

open MutableSet<String!>!

Returns an immutable Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.

open Boolean

Gets the PolicyQualifiersRejected flag.

open String!

Returns the signature provider's name, or null if not set.

open CertSelector!

Returns the required constraints on the target certificate.

open MutableSet<TrustAnchor!>!

Returns an immutable Set of the most-trusted CAs.

open Boolean

Checks whether the any policy OID should be processed if it is included in a certificate.

open Boolean

Checks if explicit policy is required.

open Boolean

Checks if policy mapping is inhibited.

open Boolean

Checks the RevocationEnabled flag.

open Unit

Sets state to determine if the any policy OID should be processed if it is included in a certificate.

open Unit

Sets a List of additional certification path checkers.

open Unit

Sets the list of CertStores to be used in finding certificates and CRLs.

open Unit
setDate(date: Date!)

Sets the time for which the validity of the certification path should be determined.

open Unit

Sets the ExplicitPolicyRequired flag.

open Unit
setInitialPolicies(initialPolicies: MutableSet<String!>!)

Sets the Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing.

open Unit

Sets the PolicyMappingInhibited flag.

open Unit
setPolicyQualifiersRejected(qualifiersRejected: Boolean)

Sets the PolicyQualifiersRejected flag.

open Unit

Sets the RevocationEnabled flag.

open Unit
setSigProvider(sigProvider: String!)

Sets the signature provider's name.

open Unit

Sets the required constraints on the target certificate.

open Unit

Sets the Set of most-trusted CAs.

open String

Returns a formatted string describing the parameters.

Public constructors

PKIXParameters

Added in API level 1
PKIXParameters(keystore: KeyStore!)

Creates an instance of PKIXParameters that populates the set of most-trusted CAs from the trusted certificate entries contained in the specified KeyStore. Only keystore entries that contain trusted X509Certificates are considered; all other certificate types are ignored.

Parameters
keystore KeyStore!: a KeyStore from which the set of most-trusted CAs will be populated
Exceptions
java.security.KeyStoreException if the keystore has not been initialized
java.security.InvalidAlgorithmParameterException if the keystore does not contain at least one trusted certificate entry
java.lang.NullPointerException if the keystore is null

PKIXParameters

Added in API level 1
PKIXParameters(trustAnchors: MutableSet<TrustAnchor!>!)

Creates an instance of PKIXParameters with the specified Set of most-trusted CAs. Each element of the set is a TrustAnchor.

Note that the Set is copied to protect against subsequent modifications.

Parameters
trustAnchors MutableSet<TrustAnchor!>!: a Set of TrustAnchors
Exceptions
java.security.InvalidAlgorithmParameterException if the specified Set is empty (trustAnchors.isEmpty() == true)
java.lang.NullPointerException if the specified Set is null
java.lang.ClassCastException if any of the elements in the Set are not of type java.security.cert.TrustAnchor

Public methods

addCertPathChecker

Added in API level 1
open fun addCertPathChecker(checker: PKIXCertPathChecker!): Unit

Adds a PKIXCertPathChecker to the list of certification path checkers. See the setCertPathCheckers method for more details.

Note that the PKIXCertPathChecker is cloned to protect against subsequent modifications.

Parameters
checker PKIXCertPathChecker!: a PKIXCertPathChecker to add to the list of checks. If null, the checker is ignored (not added to list).

addCertStore

Added in API level 1
open fun addCertStore(store: CertStore!): Unit

Adds a CertStore to the end of the list of CertStores used in finding certificates and CRLs.

Parameters
store CertStore!: the CertStore to add. If null, the store is ignored (not added to list).

clone

Added in API level 1
open fun clone(): Any

Makes a copy of this PKIXParameters object. Changes to the copy will not affect the original and vice versa.

Return
Any a copy of this PKIXParameters object
Exceptions
java.lang.CloneNotSupportedException if the object's class does not support the Cloneable interface. Subclasses that override the clone method can also throw this exception to indicate that an instance cannot be cloned.

getCertPathCheckers

Added in API level 1
open fun getCertPathCheckers(): MutableList<PKIXCertPathChecker!>!

Returns the List of certification path checkers. The returned List is immutable, and each PKIXCertPathChecker in the List is cloned to protect against subsequent modifications.

Return
MutableList<PKIXCertPathChecker!>! an immutable List of PKIXCertPathCheckers (may be empty, but not null)

getCertStores

Added in API level 1
open fun getCertStores(): MutableList<CertStore!>!

Returns an immutable List of CertStores that are used to find certificates and CRLs.

Return
MutableList<CertStore!>! an immutable List of CertStores (may be empty, but never null)

See Also

getDate

Added in API level 1
open fun getDate(): Date!

Returns the time for which the validity of the certification path should be determined. If null, the current time is used.

Note that the Date returned is copied to protect against subsequent modifications.

Return
Date! the Date, or null if not set

See Also

getInitialPolicies

Added in API level 1
open fun getInitialPolicies(): MutableSet<String!>!

Returns an immutable Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. The default return value is an empty Set, which is interpreted as meaning that any policy would be acceptable.

Return
MutableSet<String!>! an immutable Set of initial policy OIDs in String format, or an empty Set (implying any policy is acceptable). Never returns null.

getPolicyQualifiersRejected

Added in API level 1
open fun getPolicyQualifiersRejected(): Boolean

Gets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.

Return
Boolean the current value of the PolicyQualifiersRejected flag

getSigProvider

Added in API level 1
open fun getSigProvider(): String!

Returns the signature provider's name, or null if not set.

Return
String! the signature provider's name (or null)

See Also

getTargetCertConstraints

Added in API level 1
open fun getTargetCertConstraints(): CertSelector!

Returns the required constraints on the target certificate. The constraints are returned as an instance of CertSelector. If null, no constraints are defined.

Note that the CertSelector returned is cloned to protect against subsequent modifications.

Return
CertSelector! a CertSelector specifying the constraints on the target certificate (or null)

getTrustAnchors

Added in API level 1
open fun getTrustAnchors(): MutableSet<TrustAnchor!>!

Returns an immutable Set of the most-trusted CAs.

Return
MutableSet<TrustAnchor!>! an immutable Set of TrustAnchors (never null)

See Also

isAnyPolicyInhibited

Added in API level 1
open fun isAnyPolicyInhibited(): Boolean

Checks whether the any policy OID should be processed if it is included in a certificate.

Return
Boolean true if the any policy OID is inhibited, false otherwise

isExplicitPolicyRequired

Added in API level 1
open fun isExplicitPolicyRequired(): Boolean

Checks if explicit policy is required. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.

Return
Boolean true if explicit policy is required, false otherwise

isPolicyMappingInhibited

Added in API level 1
open fun isPolicyMappingInhibited(): Boolean

Checks if policy mapping is inhibited. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).

Return
Boolean true if policy mapping is inhibited, false otherwise

isRevocationEnabled

Added in API level 1
open fun isRevocationEnabled(): Boolean

Checks the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used). See the setRevocationEnabled method for more details on setting the value of this flag.

Return
Boolean the current value of the RevocationEnabled flag

setAnyPolicyInhibited

Added in API level 1
open fun setAnyPolicyInhibited(val: Boolean): Unit

Sets state to determine if the any policy OID should be processed if it is included in a certificate. By default, the any policy OID is not inhibited (isAnyPolicyInhibited() returns false).

Parameters
val Boolean: true if the any policy OID is to be inhibited, false otherwise

setCertPathCheckers

Added in API level 1
open fun setCertPathCheckers(checkers: MutableList<PKIXCertPathChecker!>!): Unit

Sets a List of additional certification path checkers. If the specified List contains an object that is not a PKIXCertPathChecker, it is ignored.

Each PKIXCertPathChecker specified implements additional checks on a certificate. Typically, these are checks to process and verify private extensions contained in certificates. Each PKIXCertPathChecker should be instantiated with any initialization parameters needed to execute the check.

This method allows sophisticated applications to extend a PKIX CertPathValidator or CertPathBuilder. Each of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX CertPathValidator or CertPathBuilder for each certificate processed or validated.

Regardless of whether these additional PKIXCertPathCheckers are set, a PKIX CertPathValidator or CertPathBuilder must perform all of the required PKIX checks on each certificate. The one exception to this rule is if the RevocationEnabled flag is set to false (see the setRevocationEnabled method).

Note that the List supplied here is copied and each PKIXCertPathChecker in the list is cloned to protect against subsequent modifications.

Parameters
checkers MutableList<PKIXCertPathChecker!>!: a List of PKIXCertPathCheckers. May be null, in which case no additional checkers will be used.
Exceptions
java.lang.ClassCastException if any of the elements in the list are not of type java.security.cert.PKIXCertPathChecker

setCertStores

Added in API level 1
open fun setCertStores(stores: MutableList<CertStore!>!): Unit

Sets the list of CertStores to be used in finding certificates and CRLs. May be null, in which case no CertStores will be used. The first CertStores in the list may be preferred to those that appear later.

Note that the List is copied to protect against subsequent modifications.

Parameters
stores MutableList<CertStore!>!: a List of CertStores (or null)
Exceptions
java.lang.ClassCastException if any of the elements in the list are not of type java.security.cert.CertStore

See Also

setDate

Added in API level 1
open fun setDate(date: Date!): Unit

Sets the time for which the validity of the certification path should be determined. If null, the current time is used.

Note that the Date supplied here is copied to protect against subsequent modifications.

Parameters
date Date!: the Date, or null for the current time

See Also

setExplicitPolicyRequired

Added in API level 1
open fun setExplicitPolicyRequired(val: Boolean): Unit

Sets the ExplicitPolicyRequired flag. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.

Parameters
val Boolean: true if explicit policy is to be required, false otherwise

setInitialPolicies

Added in API level 1
open fun setInitialPolicies(initialPolicies: MutableSet<String!>!): Unit

Sets the Set of initial policy identifiers (OID strings), indicating that any one of these policies would be acceptable to the certificate user for the purposes of certification path processing. By default, any policy is acceptable (i.e. all policies), so a user that wants to allow any policy as acceptable does not need to call this method, or can call it with an empty Set (or null).

Note that the Set is copied to protect against subsequent modifications.

Parameters
initialPolicies MutableSet<String!>!: a Set of initial policy OIDs in String format (or null)
Exceptions
java.lang.ClassCastException if any of the elements in the set are not of type String

setPolicyMappingInhibited

Added in API level 1
open fun setPolicyMappingInhibited(val: Boolean): Unit

Sets the PolicyMappingInhibited flag. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).

Parameters
val Boolean: true if policy mapping is to be inhibited, false otherwise

setPolicyQualifiersRejected

Added in API level 1
open fun setPolicyQualifiersRejected(qualifiersRejected: Boolean): Unit

Sets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.

Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.

Parameters
qualifiersRejected Boolean: the new value of the PolicyQualifiersRejected flag

setRevocationEnabled

Added in API level 1
open fun setRevocationEnabled(val: Boolean): Unit

Sets the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used).

When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted (by also calling the addCertPathChecker or setCertPathCheckers methods).

Parameters
val Boolean: the new value of the RevocationEnabled flag

setSigProvider

Added in API level 1
open fun setSigProvider(sigProvider: String!): Unit

Sets the signature provider's name. The specified provider will be preferred when creating Signature objects. If null or not set, the first provider found supporting the algorithm will be used.

Parameters
sigProvider String!: the signature provider's name (or null)

See Also

setTargetCertConstraints

Added in API level 1
open fun setTargetCertConstraints(selector: CertSelector!): Unit

Sets the required constraints on the target certificate. The constraints are specified as an instance of CertSelector. If null, no constraints are defined.

Note that the CertSelector specified is cloned to protect against subsequent modifications.

Parameters
selector CertSelector!: a CertSelector specifying the constraints on the target certificate (or null)

setTrustAnchors

Added in API level 1
open fun setTrustAnchors(trustAnchors: MutableSet<TrustAnchor!>!): Unit

Sets the Set of most-trusted CAs.

Note that the Set is copied to protect against subsequent modifications.

Parameters
trustAnchors MutableSet<TrustAnchor!>!: a Set of TrustAnchors
Exceptions
java.security.InvalidAlgorithmParameterException if the specified Set is empty (trustAnchors.isEmpty() == true)
java.lang.NullPointerException if the specified Set is null
java.lang.ClassCastException if any of the elements in the set are not of type java.security.cert.TrustAnchor

See Also

toString

Added in API level 1
open fun toString(): String

Returns a formatted string describing the parameters.

Return
String a formatted string describing the parameters.