IT. Expert System.

Android Reference



Class TrustedCertificateStore

  • java.lang.Object
    • org.apache.harmony.xnet.provider.jsse.TrustedCertificateStore

  • public final class TrustedCertificateStore
    extends Object
    A source for trusted root certificate authority (CA) certificates supporting an immutable system CA directory along with mutable directories allowing the user addition of custom CAs and user removal of system CAs. This store supports the TrustedCertificateKeyStoreSpi wrapper to allow a traditional KeyStore interface for use with

    The CAs are accessed via KeyStore style aliases. Aliases are made up of a prefix identifying the source ("system:" vs "user:") and a suffix based on the OpenSSL X509_NAME_hash_old function of the CA's subject name. For example, the system CA for "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" could be represented as "system:7651b327.0". By using the subject hash, operations such as getCertificateAlias can be implemented efficiently without scanning the entire store.

    In addition to supporting the TrustedCertificateKeyStoreSpi implementation, TrustedCertificateStore also provides the additional public methods isTrustAnchor( and findIssuer( to allow efficient lookup operations for CAs again based on the file naming convention.

    The KeyChainService users the installCertificate and deleteCertificateEntry(java.lang.String) to install user CAs as well as delete those user CAs as well as system CAs. The deletion of system CAs is performed by placing an exact copy of that CA in the deleted directory. Such deletions are intended to persist across upgrades but not intended to mask a CA with a matching name or public key but is otherwise reissued in a system update. Reinstalling a deleted system certificate simply removes the copy from the deleted directory, reenabling the original in the system directory.

    Note that the default mutable directory is created by init via configuration in the system/core/rootdir/init.rc file. The directive "mkdir /data/misc/keychain 0775 system system" ensures that its owner and group are the system uid and system gid and that it is world readable but only writable by the system user.

    • Constructor Detail

      • TrustedCertificateStore

        public TrustedCertificateStore()
      • TrustedCertificateStore

        public TrustedCertificateStore(File systemDir,
                               File addedDir,
                               File deletedDir)
    • Method Detail

      • isSystem

        public static final boolean isSystem(String alias)
      • isUser

        public static final boolean isUser(String alias)
      • getCertificate

        public Certificate getCertificate(String alias,
                                 boolean includeDeletedSystem)
      • getCreationDate

        public Date getCreationDate(String alias)
      • userAliases

        public Set<String> userAliases()
      • allSystemAliases

        public Set<String> allSystemAliases()
      • containsAlias

        public boolean containsAlias(String alias)
      • isUserAddedCertificate

        public boolean isUserAddedCertificate(X509Certificate cert)
        Returns true to indicate that the certificate was added by the user, false otherwise.
      • isTrustAnchor

        public boolean isTrustAnchor(X509Certificate c)
        This non-KeyStoreSpi public interface is used by TrustManagerImpl to locate a CA certificate with the same name and public key as the provided X509Certificate. We match on the name and public key and not the entire certificate since a CA may be reissued with the same name and PublicKey but with other differences (for example when switching signature from md2WithRSAEncryption to SHA1withRSA)
      • findIssuer

        public X509Certificate findIssuer(X509Certificate c)
        This non-KeyStoreSpi public interface is used by TrustManagerImpl to locate the CA certificate that signed the provided X509Certificate.
      • getCertificateChain

        public List<X509Certificate> getCertificateChain(X509Certificate leaf)
        Attempt to build a certificate chain from the supplied leaf argument through the chain of issuers as high up as known. If the chain can't be completed, the most complete chain available will be returned. This means that a list with only the leaf certificate is returned if no issuer certificates could be found.
      • deleteCertificateEntry

        public void deleteCertificateEntry(String alias)
                                    throws IOException,
        This could be considered the implementation of TrustedCertificateKeyStoreSpi.engineDeleteEntry but we consider TrustedCertificateKeyStoreSpi to be read only. Instead, this is used by the KeyChainService to delete CA certificates.


Android Reference

Java basics

Java Enterprise Edition (EE)

Java Standard Edition (SE)





Java Script








Design patterns

RFC (standard status)

RFC (proposed standard status)

RFC (draft standard status)

RFC (informational status)

RFC (experimental status)

RFC (best current practice status)

RFC (historic status)

RFC (unknown status)

IT dictionary

All information of this service is derived from the free sources and is provided solely in the form of quotations. This service provides information and interfaces solely for the familiarization (not ownership) and under the "as is" condition.
Copyright 2016 © ELTASK.COM. All rights reserved.
Site is optimized for mobile devices.
Downloads: 149 / 159201120. Delta: 0.03635 с