I think that a PKIX certpath builder
is not applicable for CVC. Verifying paths according to PKIX (rfc5280)
is very x.509 specific including things like name constraints, certificate policy extensions etc. This is probably why the trustanchors requires x.509 certs.
The only option I could think of that does not require you to implement a custom CertBuilderSpi
would be if BC had one for CVC, since it also implements other CVC certificates.
But a quick search:
find . -name "*.java" -exec grep -H "extends CertPathBuilderSpi" {} \;
reveals only the PKIX
classes. And cert-cvc also does not implement a CertPathBuilder
. Such an addition would be cool though.
Cheers, Tomas