CertPath (Java Platform SE 8 ) (original) (raw)

An immutable sequence of certificates (a certification path).

This is an abstract class that defines the methods common to allCertPaths. Subclasses can handle different kinds of certificates (X.509, PGP, etc.).

All CertPath objects have a type, a list ofCertificates, and one or more supported encodings. Because theCertPath class is immutable, a CertPath cannot change in any externally visible way after being constructed. This stipulation applies to all public fields and methods of this class and any added or overridden by subclasses.

The type is a String that identifies the type ofCertificates in the certification path. For each certificate cert in a certification path certPath,cert.getType().equals(certPath.getType()) must betrue.

The list of Certificates is an ordered List of zero or more Certificates. This List and all of the Certificates contained in it must be immutable.

Each CertPath object must support one or more encodings so that the object can be translated into a byte array for storage or transmission to other parties. Preferably, these encodings should be well-documented standards (such as PKCS#7). One of the encodings supported by a CertPath is considered the default encoding. This encoding is used if no encoding is explicitly requested (for thegetEncoded() method, for instance).

All CertPath objects are also Serializable.CertPath objects are resolved into an alternateCertPathRep object during serialization. This allows a CertPath object to be serialized into an equivalent representation regardless of its underlying implementation.

CertPath objects can be created with aCertificateFactory or they can be returned by other classes, such as a CertPathBuilder.

By convention, X.509 CertPaths (consisting ofX509Certificates), are ordered starting with the target certificate and ending with a certificate issued by the trust anchor. That is, the issuer of one certificate is the subject of the following one. The certificate representing the TrustAnchor should not be included in the certification path. Unvalidated X.509 CertPaths may not follow these conventions. PKIX CertPathValidators will detect any departure from these conventions that cause the certification path to be invalid and throw a CertPathValidatorException.

Every implementation of the Java platform is required to support the following standard CertPath encodings:

• PKCS7
• PkiPath

These encodings are described in the CertPath Encodings section of the Java Cryptography Architecture Standard Algorithm Name Documentation. Consult the release documentation for your implementation to see if any other encodings are supported.

Concurrent Access

All CertPath objects must be thread-safe. That is, multiple threads may concurrently invoke the methods defined in this class on a single CertPath object (or more than one) with no ill effects. This is also true for the List returned byCertPath.getCertificates.

Requiring CertPath objects to be immutable and thread-safe allows them to be passed around to various pieces of code without worrying about coordinating access. Providing this thread-safety is generally not difficult, since the CertPath andList objects in question are immutable.