Logo Search packages:      
Sourcecode: bouncycastle version File versions  Download package

PKIXParameters.java

package org.bouncycastle.jce.cert;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/**
 * Parameters used as input for the PKIX CertPathValidator algorithm.<br />
 * <br />
 * A PKIX <code>CertPathValidator</code> uses these parameters to validate a
 * <code>CertPath</code> according to the PKIX certification path validation
 * algorithm.<br />
 * <br />
 * To instantiate a <code>PKIXParameters</code> object, an application must
 * specify one or more <i>most-trusted CAs</i> as defined by the PKIX
 * certification path validation algorithm. The most-trusted CAs can be
 * specified using one of two constructors. An application can call
 * {@link #PKIXParameters(Set)}, specifying a Set of <code>TrustAnchor</code>
 * objects, each of which identify a most-trusted CA. Alternatively, an
 * application can call {@link #PKIXParameters(KeyStore)}, specifying a
 * <code>KeyStore</code> instance containing trusted certificate entries, each
 * of which will be considered as a most-trusted CA.<br />
 * <br />
 * Once a <code>PKIXParameters</code> object has been created, other
 * parameters can be specified (by calling {@link #setInitialPolicies} or
 * {@link #setDate}, for instance) and then the <code>PKIXParameters</code>
 * is passed along with the <code>CertPath</code> to be validated to
 * {@link CertPathValidator#validate}.<br />
 * <br />
 * Any parameter that is not set (or is set to null) will be set to the default
 * value for that parameter. The default value for the date parameter is null,
 * which indicates the current time when the path is validated. The default for
 * the remaining parameters is the least constrained.<br />
 * <br />
 * <b>Concurrent Access</b><br />
 * <br />
 * Unless otherwise specified, the methods defined in this class are not
 * thread-safe. Multiple threads that need to access a single object
 * concurrently should synchronize amongst themselves and provide the necessary
 * locking. Multiple threads each manipulating separate objects need not
 * synchronize.
 * 
 * @see CertPathValidator
 */
00055 public class PKIXParameters implements CertPathParameters
{
    private Set trustAnchors;

    private Set initialPolicies = new HashSet();

    private List certStores = new ArrayList();

    private CertSelector certSelector;

    private List certPathCheckers = new ArrayList();

    private boolean revocationEnabled = true;

    private boolean explicitPolicyRequired = false;

    private boolean policyMappingInhibited = false;

    private boolean anyPolicyInhibited = false;

    private boolean policyQualifiersRejected = true;

    private Date date;

    private String sigProvider;

    /**
     * Creates an instance of PKIXParameters with the specified Set of
     * most-trusted CAs. Each element of the set is a TrustAnchor.<br />
     * <br />
     * Note that the Set is copied to protect against subsequent modifications.
     * 
     * @param trustAnchors
     *            a Set of TrustAnchors
     * 
     * @exception InvalidAlgorithmParameterException
     *                if the specified Set is empty
     *                <code>(trustAnchors.isEmpty() == true)</code>
     * @exception NullPointerException
     *                if the specified Set is <code>null</code>
     * @exception ClassCastException
     *                if any of the elements in the Set are not of type
     *                <code>java.security.cert.TrustAnchor</code>
     */
00099     public PKIXParameters(Set trustAnchors)
            throws InvalidAlgorithmParameterException
    {
        setTrustAnchors(trustAnchors);
    }

    /**
     * Creates an instance of PKIXParameters that populates the set of
     * most-trusted CAs from the trusted certificate entries contained in the
     * specified KeyStore. Only keystore entries that contain trusted
     * X509Certificates are considered; all other certificate types are ignored.
     * 
     * @param keystore
     *            a KeyStore from which the set of most-trusted CAs will be
     *            populated
     * 
     * @exception KeyStoreException
     *                if the keystore has not been initialized
     * @exception InvalidAlgorithmParameterException
     *                if the keystore does not contain at least one trusted
     *                certificate entry
     * @exception NullPointerException
     *                if the keystore is null
     */
00123     public PKIXParameters(KeyStore keystore) throws KeyStoreException,
            InvalidAlgorithmParameterException
    {
        if (keystore == null)
        {
            throw new NullPointerException(
                    "the keystore parameter must be non-null");
        }

        Set trustAnchors = new HashSet();
        String alias;
        Certificate cert;
        Enumeration enum = keystore.aliases();
        while (enum.hasMoreElements())
        {
            alias = (String)enum.nextElement();
            if (keystore.isCertificateEntry(alias))
            {
                cert = keystore.getCertificate(alias);
                if (cert instanceof X509Certificate)
                {
                    trustAnchors.add(new TrustAnchor((X509Certificate)cert,
                            null));
                }
            }
        }
        setTrustAnchors(trustAnchors);
    }

    /**
     * Returns an immutable Set of the most-trusted CAs.
     * 
     * @return an immutable <code>Set</code> of <code>TrustAnchors</code>
     *         (never <code>null</code>)
     * 
     * @see #setTrustAnchors
     */
00160     public Set getTrustAnchors()
    {
        return Collections.unmodifiableSet(trustAnchors);
    }

    /**
     * Sets the Set of most-trusted CAs.<br />
     * <br />
     * Note that the Set is copied to protect against subsequent modifications.<br />
     * <br />
     * 
     * @param trustAnchors
     *            a Set of TrustAnchors
     * 
     * @exception InvalidAlgorithmParameterException
     *                if the specified Set is empty
     *                <code>(trustAnchors.isEmpty() == true)</code>
     * @exception NullPointerException
     *                if the specified Set is <code>null</code>
     * @exception ClassCastException
     *                if any of the elements in the set are not of type
     *                java.security.cert.TrustAnchor
     * 
     * @see #getTrustAnchors
     */
00185     public void setTrustAnchors(Set trustAnchors)
            throws InvalidAlgorithmParameterException
    {
        if (trustAnchors == null)
        {
            throw new NullPointerException(
                    "the trustAnchors parameter must be non-null");
        }
        if (trustAnchors.isEmpty())
        {
            throw new InvalidAlgorithmParameterException(
                    "the trustAnchors parameter must be non-empty");
        }

        Iterator iter = trustAnchors.iterator();
        TrustAnchor obj;
        this.trustAnchors = new HashSet();
        while (iter.hasNext())
        {
            obj = (TrustAnchor)iter.next();
            if (obj != null)
            {
                this.trustAnchors.add(obj);
            }
        }
    }

    /**
     * Returns an immutable Set of initial policy identifiers (OID strings),
     * indicating that any one of these policies would be acceptable to the
     * certificate user for the purposes of certification path processing. The
     * default return value is an empty <code>Set</code>, which is
     * interpreted as meaning that any policy would be acceptable.
     * 
     * @return an immutable <code>Set</code> of initial policy OIDs in String
     *         format, or an empty <code>Set</code> (implying any policy is
     *         acceptable). Never returns <code>null</code>.
     * 
     * @see #setInitialPolicies(java.util.Set)
     */
00225     public Set getInitialPolicies()
    {
        Set returnSet = initialPolicies;
        if (initialPolicies == null)
        {
            returnSet = new HashSet();
        }

        return Collections.unmodifiableSet(returnSet);
    }

    /**
     * Sets the <code>Set</code> of initial policy identifiers (OID strings),
     * indicating that any one of these policies would be acceptable to the
     * certificate user for the purposes of certification path processing. By
     * default, any policy is acceptable (i.e. all policies), so a user that
     * wants to allow any policy as acceptable does not need to call this
     * method, or can call it with an empty <code>Set</code> (or
     * <code>null</code>).<br />
     * <br />
     * Note that the Set is copied to protect against subsequent modifications.<br />
     * <br />
     * 
     * @param initialPolicies
     *            a Set of initial policy OIDs in String format (or
     *            <code>null</code>)
     * 
     * @exception ClassCastException
     *                if any of the elements in the set are not of type String
     * 
     * @see #getInitialPolicies()
     */
00257     public void setInitialPolicies(Set initialPolicies)
    {
        if (initialPolicies == null || initialPolicies.isEmpty())
        {
            this.initialPolicies = null;
        }
        else
        {
            Iterator iter = initialPolicies.iterator();
            this.initialPolicies = new HashSet();
            String obj;
            while (iter.hasNext())
            {
                obj = (String)iter.next();
                if (obj != null)
                {
                    this.initialPolicies.add(obj);
                }
            }
        }
    }

    /**
     * Sets the list of CertStores to be used in finding certificates and CRLs.
     * May be null, in which case no CertStores will be used. The first
     * CertStores in the list may be preferred to those that appear later.<br />
     * <br />
     * Note that the List is copied to protect against subsequent modifications.<br />
     * <br />
     * 
     * @param stores
     *            a List of CertStores (or <code>null</code>)
     * 
     * @exception ClassCastException
     *                if any of the elements in the list are not of type
     *                <code>java.security.cert.CertStore</code>
     * 
     * @see #getCertStores()
     */
00296     public void setCertStores(List stores)
    {
        certStores = new ArrayList();
        if (stores != null && !stores.isEmpty())
        {
            Iterator iter = stores.iterator();
            CertStore obj;
            while (iter.hasNext())
            {
                obj = (CertStore)iter.next();
                if (obj != null)
                {
                    certStores.add(obj);
                }
            }
        }
    }

    /**
     * Adds a CertStore to the end of the list of CertStores used in finding
     * certificates and CRLs.
     * 
     * @param store
     *            the <code>CertStore</code> to add. If
     *            <code>null</code<, the store is ignored (not added to
     * list).
     */
00323     public void addCertStore(CertStore store)
    {
        if (store != null)
        {
            certStores.add(store);
        }
    }

    /**
     * Returns an immutable List of CertStores that are used to find
     * certificates and CRLs.
     * 
     * @return an immutable List of CertStores (may be empty, but never
     *         <code>null</code>)
     * 
     * @see #setCertStores(java.util.List)
     */
00340     public List getCertStores()
    {
        return Collections.unmodifiableList(certStores);
    }

    /**
     * Sets the RevocationEnabled flag. If this flag is true, the default
     * revocation checking mechanism of the underlying PKIX service provider
     * will be used. If this flag is false, the default revocation checking
     * mechanism will be disabled (not used).<br />
     * <br />
     * When a <code>PKIXParameters</code> object is created, this flag is set
     * to true. This setting reflects the most common strategy for checking
     * revocation, since each service provider must support revocation checking
     * to be PKIX compliant. Sophisticated applications should set this flag to
     * false when it is not practical to use a PKIX service provider's default
     * revocation checking mechanism or when an alternative revocation checking
     * mechanism is to be substituted (by also calling the
     * {@link #addCertPathChecker addCertPathChecker} or {@link 
     * #setCertPathCheckers setCertPathCheckers} methods).
     * 
     * @param val
     *            the new value of the RevocationEnabled flag
     */
00364     public void setRevocationEnabled(boolean val)
    {
        revocationEnabled = val;
    }

    /**
     * Checks the RevocationEnabled flag. If this flag is true, the default
     * revocation checking mechanism of the underlying PKIX service provider
     * will be used. If this flag is false, the default revocation checking
     * mechanism will be disabled (not used). See the setRevocationEnabled
     * method for more details on setting the value of this flag.
     * 
     * @return the current value of the RevocationEnabled flag
     */
00378     public boolean isRevocationEnabled()
    {
        return revocationEnabled;
    }

    /**
     * Sets the ExplicitPolicyRequired flag. If this flag is true, an acceptable
     * policy needs to be explicitly identified in every certificate. By
     * default, the ExplicitPolicyRequired flag is false.
     * 
     * @param val
     *            true if explicit policy is to be required, false otherwise
     */
00391     public void setExplicitPolicyRequired(boolean val)
    {
        explicitPolicyRequired = val;
    }

    /**
     * Checks if explicit policy is required. If this flag is true, an
     * acceptable policy needs to be explicitly identified in every certificate.
     * By default, the ExplicitPolicyRequired flag is false.
     * 
     * @return true if explicit policy is required, false otherwise
     */
00403     public boolean isExplicitPolicyRequired()
    {
        return explicitPolicyRequired;
    }

    /**
     * Sets the PolicyMappingInhibited flag. If this flag is true, policy
     * mapping is inhibited. By default, policy mapping is not inhibited (the
     * flag is false).
     * 
     * @param val
     *            true if policy mapping is to be inhibited, false otherwise
     */
00416     public void setPolicyMappingInhibited(boolean val)
    {
        policyMappingInhibited = val;
    }

    /**
     * Checks if policy mapping is inhibited. If this flag is true, policy
     * mapping is inhibited. By default, policy mapping is not inhibited (the
     * flag is false).
     * 
     * @return true if policy mapping is inhibited, false otherwise
     */
00428     public boolean isPolicyMappingInhibited()
    {
        return policyMappingInhibited;
    }

    /**
     * Sets state to determine if the any policy OID should be processed if it
     * is included in a certificate. By default, the any policy OID is not
     * inhibited ({@link #isAnyPolicyInhibited()} returns false).
     * 
     * @return val - <code>true</code> if the any policy OID is to be
     *         inhibited, <code>false</code> otherwise
     */
00441     public void setAnyPolicyInhibited(boolean val)
    {
        anyPolicyInhibited = val;
    }

    /**
     * Checks whether the any policy OID should be processed if it is included
     * in a certificate.
     * 
     * @return <code>true</code> if the any policy OID is inhibited,
     *         <code>false</code> otherwise
     */
00453     public boolean isAnyPolicyInhibited()
    {
        return anyPolicyInhibited;
    }

    /**
     * Sets the PolicyQualifiersRejected flag. If this flag is true,
     * certificates that include policy qualifiers in a certificate policies
     * extension that is marked critical are rejected. If the flag is false,
     * certificates are not rejected on this basis.<br />
     * <br />
     * When a <code>PKIXParameters</code> object is created, this flag is set
     * to true. This setting reflects the most common (and simplest) strategy
     * for processing policy qualifiers. Applications that want to use a more
     * sophisticated policy must set this flag to false.<br />
     * <br />
     * Note that the PKIX certification path validation algorithm specifies that
     * any policy qualifier in a certificate policies extension that is marked
     * critical must be processed and validated. Otherwise the certification
     * path must be rejected. If the policyQualifiersRejected flag is set to
     * false, it is up to the application to validate all policy qualifiers in
     * this manner in order to be PKIX compliant.
     * 
     * @param qualifiersRejected
     *            the new value of the PolicyQualifiersRejected flag
     * 
     * @see #getPolicyQualifiersRejected()
     * @see PolicyQualifierInfo
     */
00482     public void setPolicyQualifiersRejected(boolean qualifiersRejected)
    {
        policyQualifiersRejected = qualifiersRejected;
    }

    /**
     * Gets the PolicyQualifiersRejected flag. If this flag is true,
     * certificates that include policy qualifiers in a certificate policies
     * extension that is marked critical are rejected. If the flag is false,
     * certificates are not rejected on this basis.<br />
     * <br />
     * When a PKIXParameters object is created, this flag is set to true. This
     * setting reflects the most common (and simplest) strategy for processing
     * policy qualifiers. Applications that want to use a more sophisticated
     * policy must set this flag to false.
     * 
     * @return the current value of the PolicyQualifiersRejected flag
     * 
     * @see #setPolicyQualifiersRejected(boolean)
     */
00502     public boolean getPolicyQualifiersRejected()
    {
        return policyQualifiersRejected;
    }

    /**
     * Returns the time for which the validity of the certification path should
     * be determined. If null, the current time is used.<br />
     * <br />
     * Note that the Date returned is copied to protect against subsequent
     * modifications.
     * 
     * @return the Date, or <code>null</code> if not set
     * 
     * @see #setDate(java.util.Date)
     */
00518     public Date getDate()
    {
        if (date == null)
        {
            return null;
        }

        return new Date(date.getTime());
    }

    /**
     * Sets the time for which the validity of the certification path should be
     * determined. If null, the current time is used.<br />
     * <br />
     * Note that the Date supplied here is copied to protect against subsequent
     * modifications.
     * 
     * @param date
     *            the Date, or <code>null</code> for the current time
     * 
     * @see #getDate()
     */
00540     public void setDate(Date date)
    {
        if (date == null)
        {
            this.date = null;
        }
        else
        {
            this.date = new Date(date.getTime());
        }
    }

    /**
     * Sets a <code>List</code> of additional certification path checkers. If
     * the specified List contains an object that is not a PKIXCertPathChecker,
     * it is ignored.<br />
     * <br />
     * Each <code>PKIXCertPathChecker</code> specified implements additional
     * checks on a certificate. Typically, these are checks to process and
     * verify private extensions contained in certificates. Each
     * <code>PKIXCertPathChecker</code> should be instantiated with any
     * initialization parameters needed to execute the check.<br />
     * <br />
     * This method allows sophisticated applications to extend a PKIX
     * <code>CertPathValidator</code> or <code>CertPathBuilder</code>. Each
     * of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX
     * <code>CertPathValidator</code> or <code>CertPathBuilder</code> for
     * each certificate processed or validated.<br />
     * <br />
     * Regardless of whether these additional PKIXCertPathCheckers are set, a
     * PKIX <code>CertPathValidator</code> or <code>CertPathBuilder</code>
     * must perform all of the required PKIX checks on each certificate. The one
     * exception to this rule is if the RevocationEnabled flag is set to false
     * (see the {@link #setRevocationEnabled(boolean) setRevocationEnabled}
     * method).<br />
     * <br />
     * Note that the List supplied here is copied and each PKIXCertPathChecker
     * in the list is cloned to protect against subsequent modifications.
     * 
     * @param checkers
     *            a List of PKIXCertPathCheckers. May be null, in which case no
     *            additional checkers will be used.
     * @exception ClassCastException
     *                if any of the elements in the list are not of type
     *                <code>java.security.cert.PKIXCertPathChecker</code>
     * @see #getCertPathCheckers()
     */
00587     public void setCertPathCheckers(List checkers)
    {
        certPathCheckers = new ArrayList();
        if (checkers == null)
        {
            return;
        }
        Iterator iter = checkers.iterator();
        while (iter.hasNext())
        {
            certPathCheckers
                    .add((PKIXCertPathChecker)((PKIXCertPathChecker)iter.next())
                            .clone());
        }
    }

    /**
     * Returns the List of certification path checkers. The returned List is
     * immutable, and each PKIXCertPathChecker in the List is cloned to protect
     * against subsequent modifications.
     * 
     * @return an immutable List of PKIXCertPathCheckers (may be empty, but not
     *         <code>null</code>)
     * 
     * @see #setCertPathCheckers(java.util.List)
     */
00613     public List getCertPathCheckers()
    {
        List checkers = new ArrayList();
        Iterator iter = certPathCheckers.iterator();
        while (iter.hasNext())
        {
            checkers
                    .add((PKIXCertPathChecker)((PKIXCertPathChecker)iter.next())
                            .clone());
        }
        return Collections.unmodifiableList(checkers);
    }

    /**
     * Adds a PKIXCertPathChecker to the list of certification path checkers.
     * See the {@link #setCertPathCheckers} method for more details.<br />
     * <br />
     * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
     * against subsequent modifications.
     * 
     * @param checker
     *            a <code>PKIXCertPathChecker</code> to add to the list of
     *            checks. If <code>null</code>, the checker is ignored (not
     *            added to list).
     */
00638     public void addCertPathChecker(PKIXCertPathChecker checker)
    {
        if (checker != null)
        {
            certPathCheckers.add(checker.clone());
        }
    }

    /**
     * Returns the signature provider's name, or <code>null</code> if not set.
     * 
     * @return the signature provider's name (or <code>null</code>)
     * 
     * @see #setSigProvider(java.lang.String)
     */
00653     public String getSigProvider()
    {
        return sigProvider;
    }

    /**
     * Sets the signature provider's name. The specified provider will be
     * preferred when creating Signature objects. If null or not set, the first
     * provider found supporting the algorithm will be used.
     * 
     * @param sigProvider
     *            the signature provider's name (or <code>null</code>)
     * 
     * @see #getSigProvider()
     */
00668     public void setSigProvider(String sigProvider)
    {
        this.sigProvider = sigProvider;
    }

    /**
     * Returns the required constraints on the target certificate. The
     * constraints are returned as an instance of CertSelector. If
     * <code>null</code>, no constraints are defined.<br />
     * <br />
     * Note that the CertSelector returned is cloned to protect against
     * subsequent modifications.
     * 
     * @return a CertSelector specifying the constraints on the target
     *         certificate (or <code>null</code>)
     * 
     * @see #setTargetCertConstraints(CertSelector)
     */
00686     public CertSelector getTargetCertConstraints()
    {
        if (certSelector == null)
        {
            return null;
        }

        return (CertSelector)certSelector.clone();
    }

    /**
     * Sets the required constraints on the target certificate. The constraints
     * are specified as an instance of CertSelector. If null, no constraints are
     * defined.<br />
     * <br />
     * Note that the CertSelector specified is cloned to protect against
     * subsequent modifications.
     * 
     * @param selector
     *            a CertSelector specifying the constraints on the target
     *            certificate (or <code>null</code>)
     * 
     * @see #getTargetCertConstraints()
     */
00710     public void setTargetCertConstraints(CertSelector selector)
    {
        if (selector == null)
        {
            certSelector = null;
        }
        else
        {
            certSelector = (CertSelector)selector.clone();
        }
    }

    /**
     * Makes a copy of this PKIXParameters object. Changes to the copy will not
     * affect the original and vice versa.
     * 
     * @return a copy of this <code>PKIXParameters</code> object
     */
00728     public Object clone()
    {
        try
        {
            PKIXParameters obj = (PKIXParameters)super.clone();
            obj.certStores = new ArrayList(certStores);
            Iterator iter = certPathCheckers.iterator();
            obj.certPathCheckers = new ArrayList();
            while (iter.hasNext())
            {
                obj.certPathCheckers.add(((PKIXCertPathChecker)iter.next())
                        .clone());
            }
            if (initialPolicies != null)
            {
                obj.initialPolicies = new HashSet(initialPolicies);
            }
            if (trustAnchors != null)
            {
                obj.trustAnchors = new HashSet(trustAnchors);
            }
            if (certSelector != null)
            {
                obj.certSelector = (CertSelector)certSelector.clone();
            }
            return obj;
        }
        catch (CloneNotSupportedException ex)
        {
            throw new InternalError();
        }
    }

    /**
     * Returns a formatted string describing the parameters.
     * 
     * @return a formatted string describing the parameters.
     */
00766     public String toString()
    {
        StringBuffer s = new StringBuffer();
        s.append("[\n");
        if (trustAnchors != null)
        {
            s.append("  Trust Anchors: " + trustAnchors.toString() + "\n");
        }
        if (initialPolicies != null)
        {
            if (initialPolicies.isEmpty())
            {
                s.append("  Initial Policy OIDs: any\n");
            }
            else
            {
                s.append("  Initial Policy OIDs: ["
                        + initialPolicies.toString() + "]\n");
            }
        }
        s.append("  Validity Date: ");
        if (date != null)
        {
            s.append(date);
        }
        else
        {
            s.append("null");
        }
        s.append("\n");

        s.append("  Signature Provider: ");
        if (sigProvider != null)
        {
            s.append(sigProvider);
        }
        else
        {
            s.append("null");
        }
        s.append("\n");

        s.append("  Default Revocation Enabled: ");
        s.append(revocationEnabled);
        s.append("\n");

        s.append("  Explicit Policy Required: ");
        s.append(explicitPolicyRequired);
        s.append("\n");

        s.append("  Policy Mapping Inhibited: ");
        s.append(policyMappingInhibited);
        s.append("\n");

        s.append("  Any Policy Inhibited: ");
        s.append(anyPolicyInhibited);
        s.append("\n");

        s.append("  Policy Qualifiers Rejected: ");
        s.append(policyQualifiersRejected);
        s.append("\n");

        s.append("  Target Cert Constraints: ");
        s.append(certSelector);
        s.append("\n");

        s.append("  Certification Path Checkers: [");
        s.append(certPathCheckers);
        s.append("}\n");

        s.append("  CertStores: [");
        s.append(certStores);
        s.append("}\n");

        s.append("]\n");

        return s.toString();
    }
}

Generated by  Doxygen 1.6.0   Back to index