OpenJDK 1.22 · java.security.cert.TrustAnchor · APIdia, the JavaDoc alternative

Modifier and Type	Field and Description
private final String	caName
private final X500Principal	caPrincipal
private boolean	hasJdkCABeenChecked
private boolean	jdkCA
private NameConstraintsExtension	nc
private byte[]	ncBytes
private final PublicKey	pubKey
private final X509Certificate	trustedCert

Constructor Summary

Access	Constructor and Description
public	TrustAnchor(X509Certificate a trusted `X509Certificate` trustedCert, byte[] a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify `null` to omit the parameter. nameConstraints) Creates an instance of `TrustAnchor` with the specified `X509Certificate` and optional name constraints, which are intended to be used as additional constraints when validating an X.509 certification path.
public	TrustAnchor(X500Principal the name of the most-trusted CA as X500Principal caPrincipal, PublicKey the public key of the most-trusted CA pubKey, byte[] a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify `null` to omit the parameter. nameConstraints) Creates an instance of `TrustAnchor` where the most-trusted CA is specified as an X500Principal and public key.
public	TrustAnchor(String the X.500 distinguished name of the most-trusted CA in RFC 2253 `String` format caName, PublicKey the public key of the most-trusted CA pubKey, byte[] a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify `null` to omit the parameter. nameConstraints) Creates an instance of `TrustAnchor` where the most-trusted CA is specified as a distinguished name and public key.

Method Summary

Modifier and Type	Method and Description
public final X500Principal	Returns: the X.500 distinguished name of the most-trusted CA, or `null` if the trust anchor was not specified as a trusted public key and name or X500Principal pair getCA() Returns the name of the most-trusted CA as an X500Principal.
public final String	Returns: the X.500 distinguished name of the most-trusted CA, or `null` if the trust anchor was not specified as a trusted public key and name or X500Principal pair getCAName() Returns the name of the most-trusted CA in RFC 2253 `String` format.
public final PublicKey	Returns: the public key of the most-trusted CA, or `null` if the trust anchor was not specified as a trusted public key and name or X500Principal pair getCAPublicKey() Returns the public key of the most-trusted CA.
public final byte[]	Returns: a byte array containing the ASN.1 DER encoding of a NameConstraints extension used for checking name constraints, or `null` if not set. getNameConstraints() Returns the name constraints parameter.
public final X509Certificate	Returns: a trusted `X509Certificate` or `null` if the trust anchor was not specified as a trusted certificate getTrustedCert() Returns the most-trusted CA certificate.
pack-priv synchronized boolean	isJdkCA() Returns true if anchor is a JDK CA (a root CA that is included by default in the cacerts keystore).
private void	setNameConstraints(byte[] bytes) Decode the name constraints and clone them if not null.
public String	Returns: a formatted string describing the `TrustAnchor` toString() Overrides java.lang.Object.toString. Returns a formatted string describing the `TrustAnchor`.

Inherited from java.lang.Object:: clone equals finalize getClass hashCode notify notifyAll wait wait wait

Field Detail

caName	back to summary
private final String caName

caPrincipal	back to summary
private final X500Principal caPrincipal

hasJdkCABeenChecked	back to summary
private boolean hasJdkCABeenChecked

jdkCA	back to summary
private boolean jdkCA

nc	back to summary
private NameConstraintsExtension nc

ncBytes	back to summary
private byte[] ncBytes

pubKey	back to summary
private final PublicKey pubKey

trustedCert	back to summary
private final X509Certificate trustedCert

Constructor Detail

TrustAnchor back to summary

TrustAnchor	back to summary
public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) Creates an instance of `TrustAnchor` with the specified `X509Certificate` and optional name constraints, which are intended to be used as additional constraints when validating an X.509 certification path. The name constraints are specified as a byte array. This byte array should contain the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 definition of this structure appears below. NameConstraints ::= SEQUENCE { permittedSubtrees [0] GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees OPTIONAL } GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] BaseDistance DEFAULT 0, maximum [1] BaseDistance OPTIONAL } BaseDistance ::= INTEGER (0..MAX) GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER} Note that the name constraints byte array supplied is cloned to protect against subsequent modifications. Parameters trustedCert:X509Certificate a trusted `X509Certificate` nameConstraints:byte[] a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify `null` to omit the parameter. Exceptions IllegalArgumentException: if the name constraints cannot be decoded NullPointerException: if the specified `X509Certificate` is `null`

public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)

Creates an instance of TrustAnchor with the specified X509Certificate and optional name constraints, which are intended to be used as additional constraints when validating an X.509 certification path.

The name constraints are specified as a byte array. This byte array should contain the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 definition of this structure appears below.

NameConstraints ::= SEQUENCE {
      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

 GeneralSubtree ::= SEQUENCE {
      base                    GeneralName,
      minimum         [0]     BaseDistance DEFAULT 0,
      maximum         [1]     BaseDistance OPTIONAL }

 BaseDistance ::= INTEGER (0..MAX)

 GeneralName ::= CHOICE {
      otherName                       [0]     OtherName,
      rfc822Name                      [1]     IA5String,
      dNSName                         [2]     IA5String,
      x400Address                     [3]     ORAddress,
      directoryName                   [4]     Name,
      ediPartyName                    [5]     EDIPartyName,
      uniformResourceIdentifier       [6]     IA5String,
      iPAddress                       [7]     OCTET STRING,
      registeredID                    [8]     OBJECT IDENTIFIER}

Note that the name constraints byte array supplied is cloned to protect against subsequent modifications.

Parameters

trustedCert:X509Certificate: a trusted X509Certificate
nameConstraints:byte[]: a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify null to omit the parameter.

Exceptions

IllegalArgumentException:: if the name constraints cannot be decoded
NullPointerException:: if the specified X509Certificate is null

TrustAnchor back to summary

TrustAnchor	back to summary
public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, byte[] nameConstraints) Creates an instance of `TrustAnchor` where the most-trusted CA is specified as an X500Principal and public key. Name constraints are an optional parameter, and are intended to be used as additional constraints when validating an X.509 certification path. The name constraints are specified as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 notation for this structure is supplied in the documentation for `TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)` . Note that the name constraints byte array supplied here is cloned to protect against subsequent modifications. Parameters caPrincipal:X500Principal the name of the most-trusted CA as X500Principal pubKey:PublicKey the public key of the most-trusted CA nameConstraints:byte[] a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify `null` to omit the parameter. Exceptions NullPointerException: if the specified `caPrincipal` or `pubKey` parameter is `null` Since 1.5

public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, byte[] nameConstraints)

Creates an instance of TrustAnchor where the most-trusted CA is specified as an X500Principal and public key. Name constraints are an optional parameter, and are intended to be used as additional constraints when validating an X.509 certification path.

The name constraints are specified as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 notation for this structure is supplied in the documentation for TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) .

Note that the name constraints byte array supplied here is cloned to protect against subsequent modifications.

Parameters

caPrincipal:X500Principal: the name of the most-trusted CA as X500Principal
pubKey:PublicKey: the public key of the most-trusted CA
nameConstraints:byte[]: a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify null to omit the parameter.

Exceptions

NullPointerException:: if the specified caPrincipal or pubKey parameter is null

Since

1.5

TrustAnchor back to summary

TrustAnchor	back to summary
public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints) Creates an instance of `TrustAnchor` where the most-trusted CA is specified as a distinguished name and public key. Name constraints are an optional parameter, and are intended to be used as additional constraints when validating an X.509 certification path. The name constraints are specified as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 notation for this structure is supplied in the documentation for `TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)` . Note that the name constraints byte array supplied here is cloned to protect against subsequent modifications. Parameters caName:String the X.500 distinguished name of the most-trusted CA in RFC 2253 `String` format pubKey:PublicKey the public key of the most-trusted CA nameConstraints:byte[] a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify `null` to omit the parameter. Exceptions IllegalArgumentException: if the specified `caName` parameter is empty `(caName.length() == 0)` or incorrectly formatted or the name constraints cannot be decoded NullPointerException: if the specified `caName` or `pubKey` parameter is `null`

public TrustAnchor(String caName, PublicKey pubKey, byte[] nameConstraints)

Creates an instance of TrustAnchor where the most-trusted CA is specified as a distinguished name and public key. Name constraints are an optional parameter, and are intended to be used as additional constraints when validating an X.509 certification path.

Note that the name constraints byte array supplied here is cloned to protect against subsequent modifications.

Parameters

caName:String: the X.500 distinguished name of the most-trusted CA in RFC 2253 String format
pubKey:PublicKey: the public key of the most-trusted CA
nameConstraints:byte[]: a byte array containing the ASN.1 DER encoding of a NameConstraints extension to be used for checking name constraints. Only the value of the extension is included, not the OID or criticality flag. Specify null to omit the parameter.

Exceptions

IllegalArgumentException:: if the specified caName parameter is empty (caName.length() == 0) or incorrectly formatted or the name constraints cannot be decoded
NullPointerException:: if the specified caName or pubKey parameter is null

Method Detail

getCA back to summary

getCA	back to summary
public final X500Principal getCA() Returns the name of the most-trusted CA as an X500Principal. Returns:X500Principal the X.500 distinguished name of the most-trusted CA, or `null` if the trust anchor was not specified as a trusted public key and name or X500Principal pair Since 1.5

public final X500Principal getCA()

Returns the name of the most-trusted CA as an X500Principal.

Returns:X500Principal: the X.500 distinguished name of the most-trusted CA, or null if the trust anchor was not specified as a trusted public key and name or X500Principal pair
Since: 1.5

getCAName back to summary

getCAName	back to summary
public final String getCAName() Returns the name of the most-trusted CA in RFC 2253 `String` format. Returns:String the X.500 distinguished name of the most-trusted CA, or `null` if the trust anchor was not specified as a trusted public key and name or X500Principal pair

public final String getCAName()

Returns the name of the most-trusted CA in RFC 2253 String format.

Returns:String: the X.500 distinguished name of the most-trusted CA, or null if the trust anchor was not specified as a trusted public key and name or X500Principal pair

getCAPublicKey back to summary

getCAPublicKey	back to summary
public final PublicKey getCAPublicKey() Returns the public key of the most-trusted CA. Returns:PublicKey the public key of the most-trusted CA, or `null` if the trust anchor was not specified as a trusted public key and name or X500Principal pair

public final PublicKey getCAPublicKey()

Returns the public key of the most-trusted CA.

Returns:PublicKey: the public key of the most-trusted CA, or null if the trust anchor was not specified as a trusted public key and name or X500Principal pair

getNameConstraints back to summary

getNameConstraints	back to summary
public final byte[] getNameConstraints() Returns the name constraints parameter. The specified name constraints are associated with this trust anchor and are intended to be used as additional constraints when validating an X.509 certification path. The name constraints are returned as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 notation for this structure is supplied in the documentation for `TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)` . Note that the byte array returned is cloned to protect against subsequent modifications. Returns:byte[] a byte array containing the ASN.1 DER encoding of a NameConstraints extension used for checking name constraints, or `null` if not set.

public final byte[] getNameConstraints()

Returns the name constraints parameter. The specified name constraints are associated with this trust anchor and are intended to be used as additional constraints when validating an X.509 certification path.

The name constraints are returned as a byte array. This byte array contains the DER encoded form of the name constraints, as they would appear in the NameConstraints structure defined in RFC 5280 and X.509. The ASN.1 notation for this structure is supplied in the documentation for TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints) .

Note that the byte array returned is cloned to protect against subsequent modifications.

Returns:byte[]: a byte array containing the ASN.1 DER encoding of a NameConstraints extension used for checking name constraints, or null if not set.

getTrustedCert back to summary

getTrustedCert	back to summary
public final X509Certificate getTrustedCert() Returns the most-trusted CA certificate. Returns:X509Certificate a trusted `X509Certificate` or `null` if the trust anchor was not specified as a trusted certificate

public final X509Certificate getTrustedCert()

Returns the most-trusted CA certificate.

Returns:X509Certificate: a trusted X509Certificate or null if the trust anchor was not specified as a trusted certificate

isJdkCA	back to summary
pack-priv synchronized boolean isJdkCA() Returns true if anchor is a JDK CA (a root CA that is included by default in the cacerts keystore).

setNameConstraints	back to summary
private void setNameConstraints(byte[] bytes) Decode the name constraints and clone them if not null.

toString back to summary

toString	back to summary
public String toString() Overrides java.lang.Object.toString. Returns a formatted string describing the `TrustAnchor`. Returns:String a formatted string describing the `TrustAnchor`

public String toString()

Overrides java.lang.Object.toString.

Returns a formatted string describing the TrustAnchor.

Returns:String: a formatted string describing the TrustAnchor

public Class TrustAnchor

Field Summary

Constructor Summary

Method Summary

Field Detail

Constructor Detail

Method Detail