CertPath

A CertPath is a immutable sequence or chain of certificates that establishes a "certification path " from an unknown "end entity" to a known and trusted Certificate Authority or "trust anchor". Use a CertPathValidator to validate a certificate chain and establish trust in the public key presented in the certificate of the end entity.

getType( ) returns the type of the certificates in the CertPath . For X.509 certificate chains (the only type supported by the default "SUN" provider) this method returns "X.509". getCertificates( ) returns a java.util.List object that contains the Certificate objects that comprise the chain. For X.509 chains, the list contains X509Certificate objects. Also, for X.509 certificate paths, the List returned by getCertificates( ) starts with the certificate of of the end entity, and ends with a certificate signed by the trust anchor. The signer of any certificate but the last must be the subject of the next certificate in the List . If the end entity presents a certificate that is directly signed by a trust anchor (which is a not uncommon occurrence) then the List returned by getCertificates( ) consists of only that single certificate. Note that the list of certificates does not include the certificate of the trust anchor. The public keys of trusted CAs must be known by the system in advance. In Sun's JDK implementation, the public-key certificates of trusted CAs are stored in the file jre/lib/security/cacerts .

CertPath objects can be created with a CertificateFactory , or at a lower level with a CertPathBuilder object. A CertificateFactory can parse or decode a CertPath object from a binary stream. The getEncoded( ) methods reverse the process and encode a CertPath into an array of bytes. getEncodings( ) returns the encodings supported for a CertPath . The first returned encoding name is the default one, but you can use any supported encoding by using the one-argument version of getEncoded( ) . The default "SUN" provider supports encodings named "PKCS7" and "PkiPath".

CertPath objects are immutable as is the List object returned by getCertificates( ) and the Certificate objects contained in the list. Furthermore, all CertPath methods are threadsafe.

Figure 14-53. java.security.cert.CertPath

 public abstract class  CertPath  implements Serializable {  // Protected Constructors  protected  CertPath  (String  type  );  // Nested Types  protected static class  CertPathRep  implements Serializable;  // Public Instance Methods  public abstract java.util.List<? extends java.security.cert.Certificate>  getCertificates  ( );        public abstract byte[ ]  getEncoded  ( ) throws CertificateEncodingException;        public abstract byte[ ]  getEncoded  (String  encoding  )          throws CertificateEncodingException;        public abstract java.util.Iterator<String>  getEncodings  ( );        public String  getType  ( );  // Public Methods Overriding Object  public boolean  equals  (Object  other  );        public int  hashCode  ( );        public String  toString  ( );  // Protected Instance Methods  protected Object  writeReplace  ( ) throws java.io.ObjectStreamException;   } 

Passed To

java.security.CodeSigner.CodeSigner( ) , java.security.Timestamp.Timestamp( ) , CertPathValidator.validate( ) , CertPathValidatorException.CertPathValidatorException( ) , CertPathValidatorSpi.engineValidate( ) , PKIXCertPathBuilderResult.PKIXCertPathBuilderResult( )

Returned By

java.security.CodeSigner.getSignerCertPath( ) , java.security.Timestamp.getSignerCertPath( ) , CertificateFactory.generateCertPath( ) , CertificateFactorySpi.engineGenerateCertPath( ) , CertPathBuilderResult.getCertPath( ) , CertPathValidatorException.getCertPath( ) , PKIXCertPathBuilderResult.getCertPath( )