PKI Module

The PKI module is intended to construct and verify certificate chains according to pkix and the chain model.

Configuration

To configure the system wide parameters use the PKIFactory.configure(PKIConfiguration config) method. All other settings are so called profile data and can be specified per request.

CA-Certificates

A certificate is accepted as CA certificate if at least one of the following conditions is true:

The BasicConstraints certificate extension is present and the CA boolean is set.
The critical KeyUsage extension is present and the KeyCertSign bit is set.
The KeyUsage extension is not critical.
No KeyUsage extension is present or the KeyUsage extension cannot be parsed.

These settings guarantee a maximum interoperability.

Limitations

Currently the library supports archiving of CRLs only.
Delta CRLs are not yet supported.
Name constraints processing is not supported.

Usage

First of all the module has to be configured before one can use it.
PKIFactory.getInstance().configure(config_, transactionId);
This configuration must be called every time the configuration changes. Afterwards you can get an pki instance from the PKIFactory
PKIModule pki = PKIFactory.getInstance().getPKIModule(profile);
This pki instance can now be used to validate certificates:
PKIResult result = pki.validateCertificate(date, endEntityCertificate, supplementalCertificates, endEntityKeyUsage, transactionId);