Module java.base
Package java.security.cert

Class PKIXParameters

java.lang.Object
java.security.cert.PKIXParameters
所有已实现的接口:
Cloneable, CertPathParameters
直接已知的子类:
PKIXBuilderParameters
public class PKIXParameters extends Object implements CertPathParameters
用作PKIX CertPathValidator算法输入的参数。

PKIX CertPathValidator使用这些参数根据PKIX认证路径验证算法验证CertPath

要实例化一个PKIXParameters对象,应用程序必须根据PKIX认证路径验证算法定义的一个或多个最受信任的CA指定。最受信任的CA可以使用两种构造函数之一指定。应用程序可以调用PKIXParameters(Set),指定一个TrustAnchor对象的Set,每个对象标识一个最受信任的CA。另外,应用程序可以调用PKIXParameters(KeyStore),指定一个包含受信任证书条目的KeyStore实例,其中每个条目将被视为最受信任的CA。

创建了PKIXParameters对象后,可以指定其他参数(例如通过调用setInitialPoliciessetDate),然后将PKIXParameters与要验证的CertPath一起传递给CertPathValidator.validate

任何未设置的参数(或设置为null)将设置为该参数的默认值。 date参数的默认值为null,表示验证路径时的当前时间。其余参数的默认值为最不受限制的。

并发访问

除非另有说明,此类中定义的方法不是线程安全的。需要同时访问单个对象的多个线程应在它们之间同步并提供必要的锁定。每个操作不需要同步的多个线程分别操作不同的对象。

自:
1.4
参见:

  • Constructor Details

  • Method Details

    • getTrustAnchors

      public Set<TrustAnchor> getTrustAnchors()
      返回一个不可变的最受信任CA的Set
      返回:
      一个不可变的Set,包含TrustAnchor(永不为null
      参见:

    • setTrustAnchors

      public void setTrustAnchors(Set<TrustAnchor> trustAnchors) throws InvalidAlgorithmParameterException
      设置最受信任CA的Set

      请注意,为防止后续修改,将复制Set

      参数:
      trustAnchors - 一个TrustAnchorSet
      抛出:
      InvalidAlgorithmParameterException - 如果指定的Set为空(trustAnchors.isEmpty() == true)
      NullPointerException - 如果指定的Setnull
      ClassCastException - 如果集合中的任何元素不是java.security.cert.TrustAnchor类型
      参见:

    • getInitialPolicies

      public Set<String> getInitialPolicies()
      返回一个不可变的初始策略标识符(OID字符串)的Set,指示这些策略中的任何一个对于证书用户来说都是可接受的,用于认证路径处理的目的。默认返回值是一个空的Set,解释为任何策略都是可接受的。
      返回:
      一个不可变的Set,包含String格式的初始策略OID,或一个空的Set(表示任何策略都是可接受)。永不返回null
      参见:

    • setInitialPolicies

      public void setInitialPolicies(Set<String> initialPolicies)
      设置初始策略标识符(OID字符串)的Set,指示这些策略中的任何一个对于证书用户来说都是可接受的,用于认证路径处理的目的。默认情况下,任何策略都是可接受的(即所有策略),因此希望允许任何策略作为可接受的用户不需要调用此方法,或者可以使用空的Set(或null)调用它。

      请注意,为防止后续修改,将复制Set

      Parameters:
      initialPolicies - a Set of initial policy OIDs in String format (or null)
      Throws:
      ClassCastException - if any of the elements in the set are not of type String
      See Also:

    • setCertStores

      public void setCertStores(List<CertStore> stores)
      Sets the list of CertStores to be used in finding certificates and CRLs. May be null, in which case no CertStores will be used. The first CertStores in the list may be preferred to those that appear later.

      Note that the List is copied to protect against subsequent modifications.

      Parameters:
      stores - a List of CertStores (or null)
      Throws:
      ClassCastException - if any of the elements in the list are not of type java.security.cert.CertStore
      See Also:

    • addCertStore

      public void addCertStore(CertStore store)
      Adds a CertStore to the end of the list of CertStores used in finding certificates and CRLs.
      Parameters:
      store - the CertStore to add. If null, the store is ignored (not added to list).

    • getCertStores

      public List<CertStore> getCertStores()
      Returns an immutable List of CertStores that are used to find certificates and CRLs.
      Returns:
      an immutable List of CertStores (may be empty, but never null)
      See Also:

    • setRevocationEnabled

      public void setRevocationEnabled(boolean val)
      Sets the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used, unless a PKIXRevocationChecker is passed in as a CertPathChecker (see below for further explanation). If this flag is false, the default revocation checking mechanism will be disabled (not used).

      When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted (by also calling the addCertPathChecker or setCertPathCheckers methods).

      Note that when a PKIXRevocationChecker is passed in as a parameter via the addCertPathChecker or setCertPathCheckers methods, it will be used to check revocation irrespective of the setting of the RevocationEnabled flag.

      Parameters:
      val - the new value of the RevocationEnabled flag

    • isRevocationEnabled

      public boolean isRevocationEnabled()
      Checks the RevocationEnabled flag. If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used, unless a PKIXRevocationChecker is passed in as a CertPathChecker. If this flag is false, the default revocation checking mechanism will be disabled (not used). See the setRevocationEnabled method for more details on setting the value of this flag.
      Returns:
      the current value of the RevocationEnabled flag

    • setExplicitPolicyRequired

      public void setExplicitPolicyRequired(boolean val)
      Sets the ExplicitPolicyRequired flag. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.
      Parameters:
      val - true if explicit policy is to be required, false otherwise

    • isExplicitPolicyRequired

      public boolean isExplicitPolicyRequired()
      Checks if explicit policy is required. If this flag is true, an acceptable policy needs to be explicitly identified in every certificate. By default, the ExplicitPolicyRequired flag is false.
      Returns:
      true if explicit policy is required, false otherwise

    • setPolicyMappingInhibited

      public void setPolicyMappingInhibited(boolean val)
      Sets the PolicyMappingInhibited flag. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).
      Parameters:
      val - true if policy mapping is to be inhibited, false otherwise

    • isPolicyMappingInhibited

      public boolean isPolicyMappingInhibited()
      Checks if policy mapping is inhibited. If this flag is true, policy mapping is inhibited. By default, policy mapping is not inhibited (the flag is false).
      Returns:
      true if policy mapping is inhibited, false otherwise

    • setAnyPolicyInhibited

      public void setAnyPolicyInhibited(boolean val)
      Sets state to determine if the any policy OID should be processed if it is included in a certificate. By default, the any policy OID is not inhibited (isAnyPolicyInhibited() returns false).
      Parameters:
      val - true if the any policy OID is to be inhibited, false otherwise

    • isAnyPolicyInhibited

      public boolean isAnyPolicyInhibited()
      Checks whether the any policy OID should be processed if it is included in a certificate.
      Returns:
      true if the any policy OID is inhibited, false otherwise

    • setPolicyQualifiersRejected

      public void setPolicyQualifiersRejected(boolean qualifiersRejected)
      Sets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.

      When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.

      Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.

      Parameters:
      qualifiersRejected - the new value of the PolicyQualifiersRejected flag
      See Also:

    • getPolicyQualifiersRejected

      public boolean getPolicyQualifiersRejected()
      Gets the PolicyQualifiersRejected flag. If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.

      When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common (and simplest) strategy for processing policy qualifiers. Applications that want to use a more sophisticated policy must set this flag to false.

      Returns:
      the current value of the PolicyQualifiersRejected flag
      See Also:

    • getDate

      public Date getDate()
      Returns the time for which the validity of the certification path should be determined. If null, the current time is used.

      Note that the Date returned is copied to protect against subsequent modifications.

      Returns:
      the Date, or null if not set
      See Also:

    • setDate

      public void setDate(Date date)
      Sets the time for which the validity of the certification path should be determined. If null, the current time is used.

      Note that the Date supplied here is copied to protect against subsequent modifications.

      Parameters:
      date - the Date, or null for the current time
      See Also:

    • setCertPathCheckers

      public void setCertPathCheckers(List<PKIXCertPathChecker> checkers)
      Sets a List of additional certification path checkers. If the specified List contains an object that is not a PKIXCertPathChecker, it is ignored.

      Each PKIXCertPathChecker specified implements additional checks on a certificate. Typically, these are checks to process and verify private extensions contained in certificates. Each PKIXCertPathChecker should be instantiated with any initialization parameters needed to execute the check.

      This method allows sophisticated applications to extend a PKIX CertPathValidator or CertPathBuilder. Each of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX CertPathValidator or CertPathBuilder for each certificate processed or validated.

      Regardless of whether these additional PKIXCertPathCheckers are set, a PKIX CertPathValidator or CertPathBuilder must perform all of the required PKIX checks on each certificate. The one exception to this rule is if the RevocationEnabled flag is set to false (see the setRevocationEnabled method).

      Note that the List supplied here is copied and each PKIXCertPathChecker in the list is cloned to protect against subsequent modifications.

      参数:
      checkers - 一个List,其中包含PKIXCertPathChecker。可能为null,在这种情况下将不使用任何额外的检查器。
      抛出:
      ClassCastException - 如果列表中的任何元素不是java.security.cert.PKIXCertPathChecker类型
      参见:

    • getCertPathCheckers

      public List<PKIXCertPathChecker> getCertPathCheckers()
      返回证书路径检查器的List。返回的List是不可变的,List中的每个PKIXCertPathChecker都会被克隆以防止后续修改。
      返回:
      一个不可变的List,包含PKIXCertPathChecker(可能为空,但不为null
      参见:

    • addCertPathChecker

      public void addCertPathChecker(PKIXCertPathChecker checker)
      向证书路径检查器列表添加一个PKIXCertPathChecker。有关更多详细信息,请参阅setCertPathCheckers方法。

      请注意,PKIXCertPathChecker会被克隆以防止后续修改。

      参数:
      checker - 要添加到检查列表中的PKIXCertPathChecker。如果为null,则会被忽略(不会添加到列表中)。

    • getSigProvider

      public String getSigProvider()
      返回签名提供程序的名称,如果未设置则返回null
      返回:
      签名提供程序的名称(或null
      参见:

    • setSigProvider

      public void setSigProvider(String sigProvider)
      设置签名提供程序的名称。在创建Signature对象时,将优先使用指定的提供程序。如果为null或未设置,则将使用支持该算法的第一个找到的提供程序。
      参数:
      sigProvider - 签名提供程序的名称(或null
      参见:

    • getTargetCertConstraints

      public CertSelector getTargetCertConstraints()
      返回目标证书的所需约束。约束将作为CertSelector的实例返回。如果为null,则未定义任何约束。

      请注意,返回的CertSelector会被克隆以防止后续修改。

      返回:
      指定目标证书约束的CertSelector(或null
      参见:

    • setTargetCertConstraints

      public void setTargetCertConstraints(CertSelector selector)
      设置目标证书的所需约束。约束将作为CertSelector的实例指定。如果为null,则未定义任何约束。

      请注意,指定的CertSelector会被克隆以防止后续修改。

      参数:
      selector - 指定目标证书约束的CertSelector(或null
      参见:

    • clone

      public Object clone()
      复制此PKIXParameters对象。对副本的更改不会影响原始对象,反之亦然。
      指定者:
      clone 在接口 CertPathParameters
      覆盖:
      clone 在类 Object
      返回:
      PKIXParameters对象的副本
      参见:

    • toString

      public String toString()
      返回描述参数的格式化字符串。
      覆盖:
      toString 在类 Object
      返回:
      描述参数的格式化字符串。