Class PKIXCertificateValidationProvider
- All Implemented Interfaces:
CertificateValidationProvider
CertificateValidationProvider
using a PKIX CertPathBuilder
.
Since the Java's PKIX API doesn't allow to access the CRLs used in the certification path validation, this is manually done. There has to be a CRL for each issuer in the path which is valid at the moment of validation (signature and date).
The builder(KeyStore)
builder} method can be used to configure and create
a new instance.
- Author:
- Luís
-
Nested Class Summary
-
Method Summary
Modifier and TypeMethodDescriptionCreate a builder to configure a newPKIXCertificateValidationProvider
.validate
(X509CertSelector certSelector, Date validationDate, Collection<X509Certificate> otherCerts) Validates the certificate identified by the given certificate selector and returns the resulting validation data (certificate chain and possibly CRLs).
-
Method Details
-
builder
Create a builder to configure a newPKIXCertificateValidationProvider
.- Parameters:
trustAnchors
- the keystore with the trust-anchors (TrustedCertificateEntry
)- Returns:
- the builder
-
validate
public ValidationData validate(X509CertSelector certSelector, Date validationDate, Collection<X509Certificate> otherCerts) throws CertificateValidationException, UnexpectedJCAException Description copied from interface:CertificateValidationProvider
Validates the certificate identified by the given certificate selector and returns the resulting validation data (certificate chain and possibly CRLs).This method receives a set of certificates collected from the validation context that can be used to build the acertification path. For instance, when verifying the signature's certificate, certificates collected from
KeyInfo
are supplied; when verifying a timestamp token, the certificates contained on the timestamp token itself are supplied.Additional certificates may be needed to build a certification path. This means that the provider must have access to those additional certificates out of band.
- Specified by:
validate
in interfaceCertificateValidationProvider
- Parameters:
certSelector
- identifies the intended leaf certificate for the current validation. This certificate may or may not be available on the validation context (usually is). This selector is created using information from the differentX509Data
elements withinKeyInfo
.validationDate
- the time for which the validity of the certification path should be determinedotherCerts
- a set of certificates that can be used to validate the leaf certificate, collected from the validation context. May include the certificate that will be selected bycertSelector
.- Returns:
- the validation data resulting from the validation of the certificate selected by
certSelector
- Throws:
CertificateValidationException
- if the certificate cannot be validated (see subclasses of the exception)UnexpectedJCAException
-