sun.security.provider.certpath: public final class: SunCertPathBuilder

sun.security.provider.certpath
public final class: SunCertPathBuilder [javadoc | source]

java.lang.Object
   java.security.cert.CertPathBuilderSpi
      sun.security.provider.certpath.SunCertPathBuilder

This class is able to build certification paths in either the forward or reverse directions.

If successful, it returns a certification path which has succesfully satisfied all the constraints and requirements specified in the PKIXBuilderParameters object and has been validated according to the PKIX path validation algorithm defined in RFC 3280.

This implementation uses a depth-first search approach to finding certification paths. If it comes to a point in which it cannot find any more certificates leading to the target OR the path length is too long it backtracks to previous paths until the target has been found or all possible paths have been exhausted.

This implementation is not thread-safe.

since: 1.4 -

author: Sean - Mullan

author: Yassir - Elley

Constructor:

Constructor:
public SunCertPathBuilder() throws CertPathBuilderException { try { cf = CertificateFactory.getInstance("X.509"); } catch (CertificateException e) { throw new CertPathBuilderException(e); } } Create an instance of `SunCertPathBuilder`. Throws: `CertPathBuilderException` - if an error occurs

 public SunCertPathBuilder() throws CertPathBuilderException {
                    
        try {
            cf = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new CertPathBuilderException(e);
        }
}

SunCertPathBuilder

Throws:

CertPathBuilderException - if an error occurs

Method from sun.security.provider.certpath.SunCertPathBuilder Summary:
depthFirstSearchForward, depthFirstSearchReverse, engineBuild

Methods from java.security.cert.CertPathBuilderSpi:
engineBuild

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from sun.security.provider.certpath.SunCertPathBuilder Detail:
void depthFirstSearchForward(X500Principal dN, ForwardState currentState, ForwardBuilder builder, List adjList, LinkedList certPathList) throws IOException, GeneralSecurityException { //XXX This method should probably catch & handle exceptions if (debug != null) { debug.println("SunCertPathBuilder.depthFirstSearchForward(" + dN + ", " + currentState.toString() + ")"); } /* * Find all the certificates issued to dN which * satisfy the PKIX certification path constraints. / List< Vertex > vertices = addVertices (builder.getMatchingCerts(currentState, orderedCertStores), adjList); if (debug != null) { debug.println("SunCertPathBuilder.depthFirstSearchForward(): " + "certs.size=" + vertices.size()); } / * For each cert in the collection, verify anything * that hasn't been checked yet (signature, revocation, etc) * and check for loops. Call depthFirstSearchForward() * recursively for each good cert. / vertices: for (Vertex vertex : vertices) { /* * Restore state to currentState each time through the loop. * This is important because some of the user-defined * checkers modify the state, which MUST be restored if * the cert eventually fails to lead to the target and * the next matching cert is tried. / ForwardState nextState = (ForwardState) currentState.clone(); X509Certificate cert = (X509Certificate) vertex.getCertificate(); try { builder.verifyCert(cert, nextState, certPathList); } catch (GeneralSecurityException gse) { if (debug != null) { debug.println("SunCertPathBuilder.depthFirstSearchForward()" + ": validation failed: " + gse); gse.printStackTrace(); } vertex.setThrowable(gse); continue; } / * Certificate is good. * If cert completes the path, * process userCheckers that don't support forward checking * and process policies over whole path * and backtrack appropriately if there is a failure * else if cert does not complete the path, * add it to the path / if (builder.isPathCompleted(cert)) { BasicChecker basicChecker = null; if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchForward()" + ": commencing final verification"); ArrayList< X509Certificate > appendedCerts = new ArrayList< X509Certificate >(certPathList); / * if the trust anchor selected is specified as a trusted * public key rather than a trusted cert, then verify this * cert (which is signed by the trusted public key), but * don't add it yet to the certPathList / if (builder.trustAnchor.getTrustedCert() == null) { appendedCerts.add(0, cert); } HashSet< String > initExpPolSet = new HashSet< String >(1); initExpPolSet.add(PolicyChecker.ANY_POLICY); PolicyNodeImpl rootNode = new PolicyNodeImpl(null, PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false); PolicyChecker policyChecker = new PolicyChecker(buildParams.getInitialPolicies(), appendedCerts.size(), buildParams.isExplicitPolicyRequired(), buildParams.isPolicyMappingInhibited(), buildParams.isAnyPolicyInhibited(), buildParams.getPolicyQualifiersRejected(), rootNode); List< PKIXCertPathChecker > userCheckers = new ArrayList< PKIXCertPathChecker > (buildParams.getCertPathCheckers()); int mustCheck = 0; userCheckers.add(mustCheck, policyChecker); mustCheck++; if (nextState.keyParamsNeeded()) { PublicKey rootKey = cert.getPublicKey(); if (builder.trustAnchor.getTrustedCert() == null) { rootKey = builder.trustAnchor.getCAPublicKey(); if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchForward" + " using buildParams public key: " + rootKey.toString()); } TrustAnchor anchor = new TrustAnchor (cert.getSubjectX500Principal(), rootKey, null); basicChecker = new BasicChecker(anchor, builder.date, buildParams.getSigProvider(), true); userCheckers.add(mustCheck, basicChecker); mustCheck++; if (buildParams.isRevocationEnabled()) { userCheckers.add(mustCheck, new CrlRevocationChecker(anchor, buildParams)); mustCheck++; } } for (int i=0; i< appendedCerts.size(); i++) { X509Certificate currCert = appendedCerts.get(i); if (debug != null) debug.println("current subject = " + currCert.getSubjectX500Principal()); Set< String > unresCritExts = currCert.getCriticalExtensionOIDs(); if (unresCritExts == null) { unresCritExts = Collections.< String >emptySet(); } for (int j=0; j< userCheckers.size(); j++) { PKIXCertPathChecker currChecker = userCheckers.get(j); if (j < mustCheck \|\| !currChecker.isForwardCheckingSupported()) { if (i == 0) { currChecker.init(false); } try { currChecker.check(currCert, unresCritExts); } catch (CertPathValidatorException cpve) { if (debug != null) debug.println ("SunCertPathBuilder.depthFirstSearchForward(): " + "final verification failed: " + cpve); vertex.setThrowable(cpve); continue vertices; } } } / * Remove extensions from user checkers that support * forward checking. After this step, we will have * removed all extensions that all user checkers * are capable of processing. / for (PKIXCertPathChecker checker : buildParams.getCertPathCheckers()) { if (checker.isForwardCheckingSupported()) { Set< String > suppExts = checker.getSupportedExtensions(); if (suppExts != null) { unresCritExts.removeAll(suppExts); } } } if (!unresCritExts.isEmpty()) { unresCritExts.remove (PKIXExtensions.BasicConstraints_Id.toString()); unresCritExts.remove (PKIXExtensions.NameConstraints_Id.toString()); unresCritExts.remove (PKIXExtensions.CertificatePolicies_Id.toString()); unresCritExts.remove (PKIXExtensions.PolicyMappings_Id.toString()); unresCritExts.remove (PKIXExtensions.PolicyConstraints_Id.toString()); unresCritExts.remove (PKIXExtensions.InhibitAnyPolicy_Id.toString()); unresCritExts.remove(PKIXExtensions. SubjectAlternativeName_Id.toString()); unresCritExts.remove (PKIXExtensions.KeyUsage_Id.toString()); unresCritExts.remove (PKIXExtensions.ExtendedKeyUsage_Id.toString()); if (!unresCritExts.isEmpty()) { throw new CertPathValidatorException("unrecognized " + "critical extension(s)"); } } } if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchForward()" + ": final verification succeeded - path completed!"); pathCompleted = true; / * if the user specified a trusted public key rather than * trusted certs, then add this cert (which is signed by * the trusted public key) to the certPathList / if (builder.trustAnchor.getTrustedCert() == null) builder.addCertToPath(cert, certPathList); // Save the trust anchor this.trustAnchor = builder.trustAnchor; / * Extract and save the final target public key / if (basicChecker != null) { finalPublicKey = basicChecker.getPublicKey(); } else { Certificate finalCert; if (certPathList.size() == 0) { finalCert = builder.trustAnchor.getTrustedCert(); } else { finalCert = certPathList.get(certPathList.size()-1); } finalPublicKey = finalCert.getPublicKey(); } policyTreeResult = policyChecker.getPolicyTree(); return; } else { builder.addCertToPath(cert, certPathList); } / Update the PKIX state / nextState.updateState(cert); / * Append an entry for cert in adjacency list and * set index for current vertex. / adjList.add(new LinkedList< Vertex >()); vertex.setIndex(adjList.size() - 1); / recursively search for matching certs at next dN / depthFirstSearchForward(cert.getIssuerX500Principal(), nextState, builder, adjList, certPathList); / * If path has been completed, return ASAP! / if (pathCompleted) { return; } else { / * If we get here, it means we have searched all possible * certs issued by the dN w/o finding any matching certs. * This means we have to backtrack to the previous cert in * the path and try some other paths. */ if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchForward()" + ": backtracking"); builder.removeFinalCertFromPath(certPathList); } } }
void depthFirstSearchReverse(X500Principal dN, ReverseState currentState, ReverseBuilder builder, List adjList, LinkedList certPathList) throws IOException, GeneralSecurityException { if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchReverse(" + dN + ", " + currentState.toString() + ")"); /* * Find all the certificates issued by dN which * satisfy the PKIX certification path constraints. / List< Vertex > vertices = addVertices (builder.getMatchingCerts(currentState, orderedCertStores), adjList); if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchReverse(): " + "certs.size=" + vertices.size()); / * For each cert in the collection, verify anything * that hasn't been checked yet (signature, revocation, etc) * and check for loops. Call depthFirstSearchReverse() * recursively for each good cert. / for (Vertex vertex : vertices) { /* * Restore state to currentState each time through the loop. * This is important because some of the user-defined * checkers modify the state, which MUST be restored if * the cert eventually fails to lead to the target and * the next matching cert is tried. / ReverseState nextState = (ReverseState) currentState.clone(); X509Certificate cert = (X509Certificate) vertex.getCertificate(); try { builder.verifyCert(cert, nextState, certPathList); } catch (GeneralSecurityException gse) { if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchReverse()" + ": validation failed: " + gse); vertex.setThrowable(gse); continue; } / * Certificate is good, add it to the path (if it isn't a * self-signed cert) and update state / if (!currentState.isInitial()) builder.addCertToPath(cert, certPathList); // save trust anchor this.trustAnchor = currentState.trustAnchor; / * Check if path is completed, return ASAP if so. / if (builder.isPathCompleted(cert)) { if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchReverse()" + ": path completed!"); pathCompleted = true; PolicyNodeImpl rootNode = nextState.rootNode; if (rootNode == null) policyTreeResult = null; else { policyTreeResult = rootNode.copyTree(); ((PolicyNodeImpl)policyTreeResult).setImmutable(); } / * Extract and save the final target public key / finalPublicKey = cert.getPublicKey(); if (finalPublicKey instanceof DSAPublicKey && ((DSAPublicKey)finalPublicKey).getParams() == null) { finalPublicKey = BasicChecker.makeInheritedParamsKey (finalPublicKey, currentState.pubKey); } return; } / Update the PKIX state / nextState.updateState(cert); / * Append an entry for cert in adjacency list and * set index for current vertex. / adjList.add(new LinkedList< Vertex >()); vertex.setIndex(adjList.size() - 1); / recursively search for matching certs at next dN / depthFirstSearchReverse(cert.getSubjectX500Principal(), nextState, builder, adjList, certPathList); / * If path has been completed, return ASAP! / if (pathCompleted) { return; } else { / * If we get here, it means we have searched all possible * certs issued by the dN w/o finding any matching certs. This * means we have to backtrack to the previous cert in the path * and try some other paths. */ if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchReverse()" + ": backtracking"); if (!currentState.isInitial()) builder.removeFinalCertFromPath(certPathList); } } if (debug != null) debug.println("SunCertPathBuilder.depthFirstSearchReverse() all " + "certs in this adjacency list checked"); }
public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException { if (debug != null) { debug.println("SunCertPathBuilder.engineBuild(" + params + ")"); } if (!(params instanceof PKIXBuilderParameters)) { throw new InvalidAlgorithmParameterException("inappropriate " + "parameter type, must be an instance of PKIXBuilderParameters"); } boolean buildForward = true; if (params instanceof SunCertPathBuilderParameters) { buildForward = ((SunCertPathBuilderParameters)params).getBuildForward(); } buildParams = (PKIXBuilderParameters)params; /* Check mandatory parameters */ // Make sure that none of the trust anchors include name constraints // (not supported). for (TrustAnchor anchor : buildParams.getTrustAnchors()) { if (anchor.getNameConstraints() != null) { throw new InvalidAlgorithmParameterException ("name constraints in trust anchor not supported"); } } CertSelector sel = buildParams.getTargetCertConstraints(); if (!(sel instanceof X509CertSelector)) { throw new InvalidAlgorithmParameterException("the " + "targetCertConstraints parameter must be an " + "X509CertSelector"); } targetSel = (X509CertSelector)sel; targetSubjectDN = targetSel.getSubject(); if (targetSubjectDN == null) { X509Certificate targetCert = targetSel.getCertificate(); if (targetCert != null) { targetSubjectDN = targetCert.getSubjectX500Principal(); } } // reorder CertStores so that local CertStores are tried first orderedCertStores = new ArrayList< CertStore >(buildParams.getCertStores()); Collections.sort(orderedCertStores, new CertStoreComparator()); if (targetSubjectDN == null) { targetSubjectDN = getTargetSubjectDN(orderedCertStores, targetSel); } if (targetSubjectDN == null) { throw new InvalidAlgorithmParameterException ("Could not determine unique target subject"); } List< List< Vertex > > adjList = new ArrayList< List< Vertex > >(); CertPathBuilderResult result = buildCertPath(buildForward, false, adjList); if (result == null) { if (debug != null) { debug.println("SunCertPathBuilder.engineBuild: 2nd pass"); } // try again adjList.clear(); result = buildCertPath(buildForward, true, adjList); if (result == null) { throw new SunCertPathBuilderException("unable to find valid " + "certification path to requested target", new AdjacencyList(adjList)); } } return result; } Attempts to build a certification path using the Sun build algorithm from a trusted anchor(s) to a target subject, which must both be specified in the input parameter set. By default, this method will attempt to build in the forward direction. In order to build in the reverse direction, the caller needs to pass in an instance of SunCertPathBuilderParameters with the buildForward flag set to false. The certification path that is constructed is validated according to the PKIX specification.

Method from sun.security.provider.certpath.SunCertPathBuilder Detail:

  void depthFirstSearchForward(X500Principal dN,
    ForwardState currentState,
    ForwardBuilder builder,
    List adjList,
    LinkedList certPathList) throws IOException, GeneralSecurityException {
        //XXX This method should probably catch & handle exceptions
        if (debug != null) {
            debug.println("SunCertPathBuilder.depthFirstSearchForward(" + dN
                + ", " + currentState.toString() + ")");
        }
        /*
         * Find all the certificates issued to dN which
         * satisfy the PKIX certification path constraints.
         */
        List< Vertex > vertices = addVertices
           (builder.getMatchingCerts(currentState, orderedCertStores), adjList);
        if (debug != null) {
            debug.println("SunCertPathBuilder.depthFirstSearchForward(): "
                + "certs.size=" + vertices.size());
        }
        /*
         * For each cert in the collection, verify anything
         * that hasn't been checked yet (signature, revocation, etc)
         * and check for loops. Call depthFirstSearchForward()
         * recursively for each good cert.
         */
               vertices:
        for (Vertex vertex : vertices) {
            /**
             * Restore state to currentState each time through the loop.
             * This is important because some of the user-defined
             * checkers modify the state, which MUST be restored if
             * the cert eventually fails to lead to the target and
             * the next matching cert is tried.
             */
            ForwardState nextState = (ForwardState) currentState.clone();
            X509Certificate cert = (X509Certificate) vertex.getCertificate();
            try {
                builder.verifyCert(cert, nextState, certPathList);
            } catch (GeneralSecurityException gse) {
                if (debug != null) {
                    debug.println("SunCertPathBuilder.depthFirstSearchForward()"
                        + ": validation failed: " + gse);
                    gse.printStackTrace();
                }
                vertex.setThrowable(gse);
                continue;
            }
            /*
             * Certificate is good.
             * If cert completes the path,
             *    process userCheckers that don't support forward checking
             *    and process policies over whole path
             *    and backtrack appropriately if there is a failure
             * else if cert does not complete the path,
             *    add it to the path
             */
            if (builder.isPathCompleted(cert)) {
                BasicChecker basicChecker = null;
                if (debug != null)
                    debug.println("SunCertPathBuilder.depthFirstSearchForward()"
                        + ": commencing final verification");
                ArrayList< X509Certificate > appendedCerts =
                    new ArrayList< X509Certificate >(certPathList);
                /*
                 * if the trust anchor selected is specified as a trusted
                 * public key rather than a trusted cert, then verify this
                 * cert (which is signed by the trusted public key), but
                 * don't add it yet to the certPathList
                 */
                if (builder.trustAnchor.getTrustedCert() == null) {
                    appendedCerts.add(0, cert);
                }
                HashSet< String > initExpPolSet = new HashSet< String >(1);
                initExpPolSet.add(PolicyChecker.ANY_POLICY);
                PolicyNodeImpl rootNode = new PolicyNodeImpl(null,
                    PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false);
                PolicyChecker policyChecker
                    = new PolicyChecker(buildParams.getInitialPolicies(),
                                appendedCerts.size(),
                                buildParams.isExplicitPolicyRequired(),
                                buildParams.isPolicyMappingInhibited(),
                                buildParams.isAnyPolicyInhibited(),
                                buildParams.getPolicyQualifiersRejected(),
                                rootNode);
                List< PKIXCertPathChecker > userCheckers = new
                    ArrayList< PKIXCertPathChecker >
                        (buildParams.getCertPathCheckers());
                int mustCheck = 0;
                userCheckers.add(mustCheck, policyChecker);
                mustCheck++;
                if (nextState.keyParamsNeeded()) {
                    PublicKey rootKey = cert.getPublicKey();
                    if (builder.trustAnchor.getTrustedCert() == null) {
                        rootKey = builder.trustAnchor.getCAPublicKey();
                        if (debug != null)
                            debug.println("SunCertPathBuilder.depthFirstSearchForward" +
                                          " using buildParams public key: " +
                                          rootKey.toString());
                    }
                    TrustAnchor anchor = new TrustAnchor
                        (cert.getSubjectX500Principal(), rootKey, null);
                    basicChecker = new BasicChecker(anchor,
                                           builder.date,
                                           buildParams.getSigProvider(),
                                           true);
                    userCheckers.add(mustCheck, basicChecker);
                    mustCheck++;
                    if (buildParams.isRevocationEnabled()) {
                        userCheckers.add(mustCheck,
                            new CrlRevocationChecker(anchor, buildParams));
                        mustCheck++;
                    }
                }
                for (int i=0; i< appendedCerts.size(); i++) {
                    X509Certificate currCert = appendedCerts.get(i);
                    if (debug != null)
                        debug.println("current subject = "
                                      + currCert.getSubjectX500Principal());
                    Set< String > unresCritExts =
                        currCert.getCriticalExtensionOIDs();
                    if (unresCritExts == null) {
                        unresCritExts = Collections.< String >emptySet();
                    }
                    for (int j=0; j< userCheckers.size(); j++) {
                        PKIXCertPathChecker currChecker = userCheckers.get(j);
                        if (j <  mustCheck ||
                            !currChecker.isForwardCheckingSupported())
                        {
                            if (i == 0) {
                                currChecker.init(false);
                            }
                            try {
                                currChecker.check(currCert, unresCritExts);
                            } catch (CertPathValidatorException cpve) {
                                if (debug != null)
                                    debug.println
                                    ("SunCertPathBuilder.depthFirstSearchForward(): " +
                                    "final verification failed: " + cpve);
                                vertex.setThrowable(cpve);
                                continue vertices;
                            }
                        }
                    }
                    /*
                     * Remove extensions from user checkers that support
                     * forward checking. After this step, we will have
                     * removed all extensions that all user checkers
                     * are capable of processing.
                     */
                    for (PKIXCertPathChecker checker :
                         buildParams.getCertPathCheckers())
                    {
                        if (checker.isForwardCheckingSupported()) {
                            Set< String > suppExts =
                                checker.getSupportedExtensions();
                            if (suppExts != null) {
                                unresCritExts.removeAll(suppExts);
                            }
                        }
                    }
                    if (!unresCritExts.isEmpty()) {
                        unresCritExts.remove
                            (PKIXExtensions.BasicConstraints_Id.toString());
                        unresCritExts.remove
                            (PKIXExtensions.NameConstraints_Id.toString());
                        unresCritExts.remove
                            (PKIXExtensions.CertificatePolicies_Id.toString());
                        unresCritExts.remove
                            (PKIXExtensions.PolicyMappings_Id.toString());
                        unresCritExts.remove
                            (PKIXExtensions.PolicyConstraints_Id.toString());
                        unresCritExts.remove
                            (PKIXExtensions.InhibitAnyPolicy_Id.toString());
                        unresCritExts.remove(PKIXExtensions.
                            SubjectAlternativeName_Id.toString());
                        unresCritExts.remove
                            (PKIXExtensions.KeyUsage_Id.toString());
                        unresCritExts.remove
                            (PKIXExtensions.ExtendedKeyUsage_Id.toString());
                        if (!unresCritExts.isEmpty()) {
                            throw new CertPathValidatorException("unrecognized "
                                + "critical extension(s)");
                        }
                    }
                }
                if (debug != null)
                    debug.println("SunCertPathBuilder.depthFirstSearchForward()"
                        + ": final verification succeeded - path completed!");
                pathCompleted = true;
                /*
                 * if the user specified a trusted public key rather than
                 * trusted certs, then add this cert (which is signed by
                 * the trusted public key) to the certPathList
                 */
                if (builder.trustAnchor.getTrustedCert() == null)
                    builder.addCertToPath(cert, certPathList);
                // Save the trust anchor
                this.trustAnchor = builder.trustAnchor;
                /*
                 * Extract and save the final target public key
                 */
                if (basicChecker != null) {
                    finalPublicKey = basicChecker.getPublicKey();
                } else {
                    Certificate finalCert;
                    if (certPathList.size() == 0) {
                        finalCert = builder.trustAnchor.getTrustedCert();
                    } else {
                        finalCert = certPathList.get(certPathList.size()-1);
                    }
                    finalPublicKey = finalCert.getPublicKey();
                }
                policyTreeResult = policyChecker.getPolicyTree();
                return;
            } else {
                builder.addCertToPath(cert, certPathList);
            }
            /* Update the PKIX state */
            nextState.updateState(cert);
            /*
             * Append an entry for cert in adjacency list and
             * set index for current vertex.
             */
            adjList.add(new LinkedList< Vertex >());
            vertex.setIndex(adjList.size() - 1);
            /* recursively search for matching certs at next dN */
            depthFirstSearchForward(cert.getIssuerX500Principal(), nextState, builder,
                adjList, certPathList);
            /*
             * If path has been completed, return ASAP!
             */
            if (pathCompleted) {
                return;
            } else {
                /*
                 * If we get here, it means we have searched all possible
                 * certs issued by the dN w/o finding any matching certs.
                 * This means we have to backtrack to the previous cert in
                 * the path and try some other paths.
                 */
                if (debug != null)
                    debug.println("SunCertPathBuilder.depthFirstSearchForward()"
                        + ": backtracking");
                builder.removeFinalCertFromPath(certPathList);
            }
        }
}

  void depthFirstSearchReverse(X500Principal dN,
    ReverseState currentState,
    ReverseBuilder builder,
    List adjList,
    LinkedList certPathList) throws IOException, GeneralSecurityException {
        if (debug != null)
            debug.println("SunCertPathBuilder.depthFirstSearchReverse(" + dN
                + ", " + currentState.toString() + ")");
        /*
         * Find all the certificates issued by dN which
         * satisfy the PKIX certification path constraints.
         */
        List< Vertex > vertices = addVertices
           (builder.getMatchingCerts(currentState, orderedCertStores), adjList);
        if (debug != null)
            debug.println("SunCertPathBuilder.depthFirstSearchReverse(): "
                + "certs.size=" + vertices.size());
        /*
         * For each cert in the collection, verify anything
         * that hasn't been checked yet (signature, revocation, etc)
         * and check for loops. Call depthFirstSearchReverse()
         * recursively for each good cert.
         */
        for (Vertex vertex : vertices) {
            /**
             * Restore state to currentState each time through the loop.
             * This is important because some of the user-defined
             * checkers modify the state, which MUST be restored if
             * the cert eventually fails to lead to the target and
             * the next matching cert is tried.
             */
            ReverseState nextState = (ReverseState) currentState.clone();
            X509Certificate cert = (X509Certificate) vertex.getCertificate();
            try {
                builder.verifyCert(cert, nextState, certPathList);
            } catch (GeneralSecurityException gse) {
                if (debug != null)
                    debug.println("SunCertPathBuilder.depthFirstSearchReverse()"
                        + ": validation failed: " + gse);
                vertex.setThrowable(gse);
                continue;
            }
            /*
             * Certificate is good, add it to the path (if it isn't a
             * self-signed cert) and update state
             */
            if (!currentState.isInitial())
                builder.addCertToPath(cert, certPathList);
            // save trust anchor
            this.trustAnchor = currentState.trustAnchor;
            /*
             * Check if path is completed, return ASAP if so.
             */
            if (builder.isPathCompleted(cert)) {
                if (debug != null)
                    debug.println("SunCertPathBuilder.depthFirstSearchReverse()"
                        + ": path completed!");
                pathCompleted = true;
                PolicyNodeImpl rootNode = nextState.rootNode;
                if (rootNode == null)
                    policyTreeResult = null;
                else {
                    policyTreeResult = rootNode.copyTree();
                    ((PolicyNodeImpl)policyTreeResult).setImmutable();
                }
                /*
                 * Extract and save the final target public key
                 */
                finalPublicKey = cert.getPublicKey();
                if (finalPublicKey instanceof DSAPublicKey &&
                    ((DSAPublicKey)finalPublicKey).getParams() == null)
                {
                    finalPublicKey =
                        BasicChecker.makeInheritedParamsKey
                            (finalPublicKey, currentState.pubKey);
                }
                return;
            }
            /* Update the PKIX state */
            nextState.updateState(cert);
            /*
             * Append an entry for cert in adjacency list and
             * set index for current vertex.
             */
            adjList.add(new LinkedList< Vertex >());
            vertex.setIndex(adjList.size() - 1);
            /* recursively search for matching certs at next dN */
            depthFirstSearchReverse(cert.getSubjectX500Principal(), nextState,
                builder, adjList, certPathList);
            /*
             * If path has been completed, return ASAP!
             */
            if (pathCompleted) {
                return;
            } else {
                /*
                 * If we get here, it means we have searched all possible
                 * certs issued by the dN w/o finding any matching certs. This
                 * means we have to backtrack to the previous cert in the path
                 * and try some other paths.
                 */
                if (debug != null)
                    debug.println("SunCertPathBuilder.depthFirstSearchReverse()"
                        + ": backtracking");
                if (!currentState.isInitial())
                    builder.removeFinalCertFromPath(certPathList);
            }
        }
        if (debug != null)
            debug.println("SunCertPathBuilder.depthFirstSearchReverse() all "
                + "certs in this adjacency list checked");
}

 public CertPathBuilderResult engineBuild(CertPathParameters params) throws CertPathBuilderException, InvalidAlgorithmParameterException {
        if (debug != null) {
            debug.println("SunCertPathBuilder.engineBuild(" + params + ")");
        }
        if (!(params instanceof PKIXBuilderParameters)) {
            throw new InvalidAlgorithmParameterException("inappropriate " +
                "parameter type, must be an instance of PKIXBuilderParameters");
        }
        boolean buildForward = true;
        if (params instanceof SunCertPathBuilderParameters) {
            buildForward =
                ((SunCertPathBuilderParameters)params).getBuildForward();
        }
        buildParams = (PKIXBuilderParameters)params;
        /* Check mandatory parameters */
        // Make sure that none of the trust anchors include name constraints
        // (not supported).
        for (TrustAnchor anchor : buildParams.getTrustAnchors()) {
            if (anchor.getNameConstraints() != null) {
                throw new InvalidAlgorithmParameterException
                    ("name constraints in trust anchor not supported");
            }
        }
        CertSelector sel = buildParams.getTargetCertConstraints();
        if (!(sel instanceof X509CertSelector)) {
            throw new InvalidAlgorithmParameterException("the "
                + "targetCertConstraints parameter must be an "
                + "X509CertSelector");
        }
        targetSel = (X509CertSelector)sel;
        targetSubjectDN = targetSel.getSubject();
        if (targetSubjectDN == null) {
            X509Certificate targetCert = targetSel.getCertificate();
            if (targetCert != null) {
                targetSubjectDN = targetCert.getSubjectX500Principal();
            }
        }
        // reorder CertStores so that local CertStores are tried first
        orderedCertStores =
            new ArrayList< CertStore >(buildParams.getCertStores());
        Collections.sort(orderedCertStores, new CertStoreComparator());
        if (targetSubjectDN == null) {
            targetSubjectDN = getTargetSubjectDN(orderedCertStores, targetSel);
        }
        if (targetSubjectDN == null) {
            throw new InvalidAlgorithmParameterException
                ("Could not determine unique target subject");
        }
        List< List< Vertex > > adjList = new ArrayList< List< Vertex > >();
        CertPathBuilderResult result =
            buildCertPath(buildForward, false, adjList);
        if (result == null) {
            if (debug != null) {
                debug.println("SunCertPathBuilder.engineBuild: 2nd pass");
            }
            // try again
            adjList.clear();
            result = buildCertPath(buildForward, true, adjList);
            if (result == null) {
                throw new SunCertPathBuilderException("unable to find valid "
                    + "certification path to requested target",
                    new AdjacencyList(adjList));
            }
        }
        return result;
}

The certification path that is constructed is validated according to the PKIX specification.