A CertPath is a immutable sequence or chain of certificates that establishes a "certification path " from an unknown "end entity" to a known and trusted Certificate Authority or "trust anchor". Use a CertPathValidator to validate a certificate chain and establish trust in the public key presented in the certificate of the end entity. getType( ) returns the type of the certificates in the CertPath . For X.509 certificate chains (the only type supported by the default "SUN" provider) this method returns "X.509". getCertificates( ) returns a java.util.List object that contains the Certificate objects that comprise the chain. For X.509 chains, the list contains X509Certificate objects. Also, for X.509 certificate paths, the List returned by getCertificates( ) starts with the certificate of of the end entity, and ends with a certificate signed by the trust anchor. The signer of any certificate but the last must be the subject of the next certificate in the List . If the end entity presents a certificate that is directly signed by a trust anchor (which is a not uncommon occurrence) then the List returned by getCertificates( ) consists of only that single certificate. Note that the list of certificates does not include the certificate of the trust anchor. The public keys of trusted CAs must be known by the system in advance. In Sun's JDK implementation, the public-key certificates of trusted CAs are stored in the file jre/lib/security/cacerts . CertPath objects can be created with a CertificateFactory , or at a lower level with a CertPathBuilder object. A CertificateFactory can parse or decode a CertPath object from a binary stream. The getEncoded( ) methods reverse the process and encode a CertPath into an array of bytes. getEncodings( ) returns the encodings supported for a CertPath . The first returned encoding name is the default one, but you can use any supported encoding by using the one-argument version of getEncoded( ) . The default "SUN" provider supports encodings named "PKCS7" and "PkiPath". CertPath objects are immutable as is the List object returned by getCertificates( ) and the Certificate objects contained in the list. Furthermore, all CertPath methods are threadsafe. Figure 14-53. java.security.cert.CertPathpublic abstract class CertPath implements Serializable { // Protected Constructors protected CertPath (String type ); // Nested Types protected static class CertPathRep implements Serializable; // Public Instance Methods public abstract java.util.List<? extends java.security.cert.Certificate> getCertificates ( ); public abstract byte[ ] getEncoded ( ) throws CertificateEncodingException; public abstract byte[ ] getEncoded (String encoding ) throws CertificateEncodingException; public abstract java.util.Iterator<String> getEncodings ( ); public String getType ( ); // Public Methods Overriding Object public boolean equals (Object other ); public int hashCode ( ); public String toString ( ); // Protected Instance Methods protected Object writeReplace ( ) throws java.io.ObjectStreamException; } Passed Tojava.security.CodeSigner.CodeSigner( ) , java.security.Timestamp.Timestamp( ) , CertPathValidator.validate( ) , CertPathValidatorException.CertPathValidatorException( ) , CertPathValidatorSpi.engineValidate( ) , PKIXCertPathBuilderResult.PKIXCertPathBuilderResult( ) Returned Byjava.security.CodeSigner.getSignerCertPath( ) , java.security.Timestamp.getSignerCertPath( ) , CertificateFactory.generateCertPath( ) , CertificateFactorySpi.engineGenerateCertPath( ) , CertPathBuilderResult.getCertPath( ) , CertPathValidatorException.getCertPath( ) , PKIXCertPathBuilderResult.getCertPath( ) |