Logo Search packages:      
Sourcecode: bouncycastle version File versions

PKIXParameters.java

package java.security.cert;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/**
 * Parameters used as input for the PKIX CertPathValidator  algorithm.<br />
 * <br />
 * A PKIX <code>CertPathValidator</code> uses these parameters to validate a
 * <code>CertPath</code> according to the PKIX certification path validation
 * algorithm.<br />
 * <br />
 * To instantiate a <code>PKIXParameters</code> object, an application must specify
 * one or more <i>most-trusted CAs</i> as defined by the PKIX certification
 * path validation algorithm. The most-trusted CAs can be specified
 * using one of two constructors. An application can call
 * {@link #PKIXParameters(Set)}, specifying a Set of <code>TrustAnchor</code> objects, each
 * of which identify a most-trusted CA. Alternatively, an application
 * can call {@link #PKIXParameters(KeyStore)}, specifying a <code>KeyStore</code> instance
 * containing trusted certificate entries, each of which will be
 * considered as a most-trusted CA.<br />
 * <br />
 * Once a <code>PKIXParameters</code> object has been created, other parameters can
 * be specified (by calling {@link #setInitialPolicies} or {@link #setDate}, for
 * instance) and then the <code>PKIXParameters</code> is passed along with the
 * <code>CertPath</code> to be validated to {@link CertPathValidator#validate}.<br />
 * <br />
 * Any parameter that is not set (or is set to null) will be set to the
 * default value for that parameter. The default value for the date
 * parameter is null, which indicates the current time when the path is
 * validated. The default for the remaining parameters is the least
 * constrained.<br />
 * <br />
 * <b>Concurrent Access</b><br />
 * <br />
 * Unless otherwise specified, the methods defined in this class are
 * not thread-safe. Multiple threads that need to access a single
 * object concurrently should synchronize amongst themselves and
 * provide the necessary locking. Multiple threads each manipulating
 * separate objects need not synchronize.
 *
 * @see CertPathValidator
 **/
00053 public class PKIXParameters implements CertPathParameters {
    private Set trustAnchors;
    private Set initialPolicies = new HashSet();
    private List certStores = new ArrayList();
    private CertSelector certSelector;
    private List certPathCheckers = new ArrayList();
    private boolean revocationEnabled = true;
    private boolean explicitPolicyRequired = false;
    private boolean policyMappingInhibited = false;
    private boolean anyPolicyInhibited = false;
    private boolean policyQualifiersRejected = true;
    private Date date;
    private String sigProvider;

    /**
     * Creates an instance of PKIXParameters with the specified
     * Set of most-trusted CAs. Each element of the set is a
     * TrustAnchor.<br />
     * <br />
     * Note that the Set is copied to protect against subsequent
     * modifications.
     *
     * @param trustAnchors a Set of TrustAnchors
     *
     * @exception InvalidAlgorithmParameterException if the
     * specified Set is empty <code>(trustAnchors.isEmpty() == true)</code>
     * @exception NullPointerException if the specified Set is <code>null</code>
     * @exception ClassCastException if any of the elements in the
     * Set are not of type
     * <code>java.security.cert.TrustAnchor</code>
     **/
00084     public PKIXParameters(Set trustAnchors)
    throws InvalidAlgorithmParameterException
    {
    setTrustAnchors( trustAnchors );
    }

    /**
     * Creates an instance of PKIXParameters that populates the
     * set of most-trusted CAs from the trusted certificate
     * entries contained in the specified KeyStore. Only keystore
     * entries that contain trusted X509Certificates  are
     * considered; all other certificate types are ignored.
     *
     * @param keystore a KeyStore from which the set of
     * most-trusted CAs will be populated
     *
     * @exception KeyStoreException if the keystore has not been
     * initialized
     * @exception InvalidAlgorithmParameterException if the keystore
     * does not contain at least one trusted certificate entry
     * @exception NullPointerException if the keystore is null
    **/
00106     public PKIXParameters(KeyStore keystore)
    throws KeyStoreException,
    InvalidAlgorithmParameterException
    {
    if ( keystore == null )
        throw new NullPointerException( "the keystore parameter must be non-null" );

    Set trustAnchors = new HashSet();
    String alias;
    Certificate cert;
    Enumeration enum = keystore.aliases();
    while ( enum.hasMoreElements() ) {
        alias = (String)enum.nextElement();
        if ( keystore.isCertificateEntry( alias ) ) {
        cert = keystore.getCertificate( alias );
        if ( cert instanceof X509Certificate )
            trustAnchors.add( new TrustAnchor( (X509Certificate)cert, null ) );
        }
    }
    setTrustAnchors( trustAnchors );
    }

    /**
     * Returns an immutable Set of the most-trusted CAs.
     *
     * @return an immutable <code>Set</code> of
     * <code>TrustAnchors</code> (never <code>null</code>)
     *
     * @see #setTrustAnchors
     **/
00136     public Set getTrustAnchors()
    {
    return Collections.unmodifiableSet(trustAnchors);
    }

    /**
     * Sets the Set of most-trusted CAs.<br />
     * <br />
     * Note that the Set is copied to protect against subsequent
     * modifications.<br />
     * <br />
     * @param trustAnchors a Set of TrustAnchors
     *
     * @exception InvalidAlgorithmParameterException if the specified Set is empty <code>(trustAnchors.isEmpty() == true)</code>
     * @exception NullPointerException if the specified Set is <code>null</code>
     * @exception ClassCastException if any of the elements in
     * the set are not of type java.security.cert.TrustAnchor
     *
     * @see #getTrustAnchors
     **/
00156     public void setTrustAnchors(Set trustAnchors)
    throws InvalidAlgorithmParameterException
    {
    if ( trustAnchors == null )
        throw new NullPointerException("the trustAnchors parameter must be non-null");
    if ( trustAnchors.isEmpty() )
        throw new InvalidAlgorithmParameterException("the trustAnchors parameter must be non-empty");

    Iterator iter = trustAnchors.iterator();
    TrustAnchor obj;
    this.trustAnchors = new HashSet();
    while( iter.hasNext() ) {
        obj = (TrustAnchor)iter.next();
        if ( obj != null ) {
        this .trustAnchors.add( obj );
        }
    }
    }

    /**
     * Returns an immutable Set of initial policy identifiers (OID
     * strings), indicating that any one of these policies would
     * be acceptable to the certificate user for the purposes of
     * certification path processing. The default return value is
     * an empty <code>Set</code>, which is interpreted as meaning that any
     * policy would be acceptable.
     *
     * @return an immutable <code>Set</code> of initial policy
     * OIDs in String format, or an empty <code>Set</code> (implying any policy
     * is acceptable). Never returns <code>null</code>.
     *
     * @see #setInitialPolicies(java.util.Set)
     **/
00189     public Set getInitialPolicies()
    {
    Set returnSet = initialPolicies;
    if ( initialPolicies == null )
        returnSet = new HashSet();

    return Collections.unmodifiableSet( returnSet );
    }

    /**
     * Sets the <code>Set</code> of initial policy identifiers (OID strings),
     * indicating that any one of these policies would be
     * acceptable to the certificate user for the purposes of
     * certification path processing. By default, any policy is
     * acceptable (i.e. all policies), so a user that wants to
     * allow any policy as acceptable does not need to call this
     * method, or can call it with an empty <code>Set</code> (or <code>null</code>).<br />
     * <br />
     * Note that the Set is copied to protect against subsequent
     * modifications.<br />
     * <br />
     * @param initialPolicies a Set of initial policy OIDs in String format (or <code>null</code>)
     *
     * @exception ClassCastException if any of the elements in the
     * set are not of type String
     *
     * @see #getInitialPolicies()
     **/
00217     public void setInitialPolicies(Set initialPolicies)
    {
    if ( initialPolicies == null || initialPolicies.isEmpty() )
    {
        this.initialPolicies = null;
    }
    else
    {
        Iterator iter = initialPolicies.iterator();
        this.initialPolicies = new HashSet();
        String obj;
        while ( iter.hasNext() )
        {
        obj = (String)iter.next();
        if ( obj != null ) {
            this.initialPolicies.add( obj );
        }
        }
    }
    }

    /**
     * Sets the list of CertStores to be used in finding
     * certificates and CRLs. May be null, in which case no
     * CertStores will be used. The first CertStores in the list
     * may be preferred to those that appear later.<br />
     * <br />
     * Note that the List is copied to protect against subsequent
     * modifications.<br />
     * <br />
     * @param stores a List of CertStores (or <code>null</code>)
     *
     * @exception ClassCastException if any of the elements in the
     * list are not of type <code>java.security.cert.CertStore</code>
     *
     * @see #getCertStores()
     **/
00254     public void setCertStores(List stores)
    {
    certStores = new ArrayList();
    if ( stores != null && ! stores.isEmpty() )
    {
        Iterator iter = stores.iterator();
        CertStore obj;
        while ( iter.hasNext() )
        {
        obj = (CertStore)iter.next();
        if ( obj != null )
        {
            certStores.add( obj );
        }
        }
    }
    }

    /**
     * Adds a CertStore to the end of the list of CertStores used
     * in finding certificates and CRLs.
     *
     * @param store  the <code>CertStore</code> to add. If
     * <code>null</code<, the store is ignored (not added to
     * list).
     **/
00280     public void addCertStore(CertStore store)
    {
    if ( store != null )
        certStores.add( store );
    }

    /**
     * Returns an immutable List of CertStores that are used to
     * find certificates and CRLs.
     *
     * @return an immutable List of CertStores (may be empty, but never <code>null</code>)
     *
     * @see #setCertStores(java.util.List)
     **/
00294     public List getCertStores()
    {
    return Collections.unmodifiableList(certStores);
    }

    /**
    * Sets the RevocationEnabled flag. If this flag is true, the default
    * revocation checking mechanism of the underlying PKIX service provider 
    * will be used. If this flag is false, the default revocation checking 
    * mechanism will be disabled (not used).<br />
    * <br />
    * When a <code>PKIXParameters</code> object is created, this flag is set
    * to true. This setting reflects the most common strategy for checking
    * revocation, since each service provider must support revocation 
    * checking to be PKIX compliant. Sophisticated applications should set
    * this flag to false when it is not practical to use a PKIX service 
    * provider's default revocation checking mechanism or when an alternative 
    * revocation checking mechanism is to be substituted (by also calling the 
    * {@link #addCertPathChecker addCertPathChecker} or {@link 
    * #setCertPathCheckers setCertPathCheckers} methods).
    *
    * @param val the new value of the RevocationEnabled flag
    **/
00317     public void setRevocationEnabled(boolean val)
    {
    revocationEnabled = val;
    }

    /** 
     * Checks the RevocationEnabled flag. If this flag is true,
     * the default revocation checking mechanism of the underlying
     * PKIX service provider will be used. If this flag is false,
     * the default revocation checking mechanism will be disabled
     * (not used). See the setRevocationEnabled method for more
     * details on setting the value of this flag.
     *
     * @return the current value of the RevocationEnabled flag
    **/
00332     public boolean isRevocationEnabled()
    {
    return revocationEnabled;
    }

    /**
     * Sets the ExplicitPolicyRequired flag. If this flag is true,
     * an acceptable policy needs to be explicitly identified in
     * every certificate. By default, the ExplicitPolicyRequired
     * flag is false.
     *
     * @param val true if explicit policy is to be required, false
     * otherwise
     **/
00346     public void setExplicitPolicyRequired(boolean val)
    {
    explicitPolicyRequired = val;
    }

    /**
     * Checks if explicit policy is required. If this flag is
     * true, an acceptable policy needs to be explicitly
     * identified in every certificate. By default, the
     * ExplicitPolicyRequired flag is false.
     *
     * @return true if explicit policy is required, false otherwise
     **/
00359     public boolean isExplicitPolicyRequired()
    {
    return explicitPolicyRequired;
    }

    /**
     * Sets the PolicyMappingInhibited flag. If this flag is true,
     * policy mapping is inhibited. By default, policy mapping is
     * not inhibited (the flag is false).
     *
     * @param val true if policy mapping is to be inhibited, false otherwise
     **/
00371     public void setPolicyMappingInhibited(boolean val)
    {
    policyMappingInhibited = val;
    }

    /**
     * Checks if policy mapping is inhibited. If this flag is
     * true, policy mapping is inhibited. By default, policy
     * mapping is not inhibited (the flag is false).
     *
     * @return true if policy mapping is inhibited, false otherwise
     **/
00383     public boolean isPolicyMappingInhibited()
    {
    return policyMappingInhibited;
    }

    /**
     * Sets state to determine if the any policy OID should be
     * processed if it is included in a certificate. By default,
     * the any policy OID is not inhibited ({@link #isAnyPolicyInhibited()}
     * returns false).
     *
     * @return val - <code>true</code> if the any policy OID is to be inhibited, <code>false</code> otherwise
     **/
00396     public void setAnyPolicyInhibited(boolean val)
    {
    anyPolicyInhibited = val;
    }

    /**
     * Checks whether the any policy OID should be processed if it
     * is included in a certificate.
     *
     * @return <code>true</code> if the any policy OID is inhibited, <code>false</code> otherwise
     **/
00407     public boolean isAnyPolicyInhibited()
    {
    return anyPolicyInhibited;
    }

    /**
     * Sets the PolicyQualifiersRejected flag. If this flag is
     * true, certificates that include policy qualifiers in a
     * certificate policies extension that is marked critical are
     * rejected. If the flag is false, certificates are not
     * rejected on this basis.<br />
     * <br />
     * When a <code>PKIXParameters</code> object is created, this flag is set
     * to true. This setting reflects the most common (and
     * simplest) strategy for processing policy
     * qualifiers. Applications that want to use a more
     * sophisticated policy must set this flag to false.<br />
     * <br />
     * Note that the PKIX certification path validation algorithm
     * specifies that any policy qualifier in a certificate
     * policies extension that is marked critical must be
     * processed and validated. Otherwise the certification path
     * must be rejected. If the policyQualifiersRejected flag is
     * set to false, it is up to the application to validate all
     * policy qualifiers in this manner in order to be PKIX
     * compliant.
     *
     * @param qualifiersRejected the new value of the PolicyQualifiersRejected flag
     *
     * @see #getPolicyQualifiersRejected()
     * @see PolicyQualifierInfo
     **/
00439     public void setPolicyQualifiersRejected(boolean qualifiersRejected)
    {
    policyQualifiersRejected = qualifiersRejected;
    }

    /**
     * Gets the PolicyQualifiersRejected flag. If this flag is
     * true, certificates that include policy qualifiers in a
     * certificate policies extension that is marked critical are
     * rejected. If the flag is false, certificates are not
     * rejected on this basis.<br />
     * <br />
     * When a PKIXParameters object is created, this flag is set to
     * true. This setting reflects the most common (and simplest)
     * strategy for processing policy qualifiers. Applications that
     * want to use a more sophisticated policy must set this flag
     * to false.
     *
     * @return the current value of the PolicyQualifiersRejected flag
     *
     * @see #setPolicyQualifiersRejected(boolean)
     **/
00461     public boolean getPolicyQualifiersRejected()
    {
    return policyQualifiersRejected;
    }

        /**
     * Returns the time for which the validity of the
     * certification path should be determined. If null, the
     * current time is used.<br />
     * <br />
     * Note that the Date returned is copied to protect against
     * subsequent modifications.
     *
     * @return the Date, or <code>null</code> if not set
     *
     * @see #setDate(java.util.Date)
     **/
00478     public Date getDate()
    {
    if ( date == null )
        return null;

    return new Date( date.getTime() );
    }

    /**
     * Sets the time for which the validity of the certification
     * path should be determined. If null, the current time is
     * used.<br />
     * <br />
     * Note that the Date supplied here is copied to protect
     * against subsequent modifications.
     *
     * @param date the Date, or <code>null</code> for the current time
     *
     * @see #getDate()
     **/
00498     public void setDate(Date date)
    {
    if ( date == null )
        this.date = null;
    else
        this.date = new Date( date.getTime() );
    }

    /**
     * Sets a <code>List</code> of additional certification path checkers. If
     * the specified List contains an object that is not a
     * PKIXCertPathChecker, it is ignored.<br />
     * <br />
     * Each <code>PKIXCertPathChecker</code> specified implements additional
     * checks on a certificate. Typically, these are checks to
     * process and verify private extensions contained in
     * certificates. Each <code>PKIXCertPathChecker</code> should be
     * instantiated with any initialization parameters needed to
     * execute the check.<br />
     * <br />
     * This method allows sophisticated applications to extend a
     * PKIX <code>CertPathValidator</code> or <code>CertPathBuilder</code>. Each of the
     * specified PKIXCertPathCheckers will be called, in turn, by
     * a PKIX <code>CertPathValidator</code> or <code>CertPathBuilder</code> for each
     * certificate processed or validated.<br />
     * <br />
     * Regardless of whether these additional PKIXCertPathCheckers
     * are set, a PKIX <code>CertPathValidator</code> or <code>CertPathBuilder</code> must
     * perform all of the required PKIX checks on each
     * certificate. The one exception to this rule is if the
     * RevocationEnabled flag is set to false (see the
     * {@link #setRevocationEnabled(boolean) setRevocationEnabled} method).<br />
     * <br />
     * Note that the List supplied here is copied and each
     * PKIXCertPathChecker in the list is cloned to protect against
     * subsequent modifications.
     *
     * @param checkers a List of PKIXCertPathCheckers. May be
     * null, in which case no additional checkers will be used.
     * @exception ClassCastException if any of the elements in the
     * list are not of type
     * <code>java.security.cert.PKIXCertPathChecker</code>
     * @see #getCertPathCheckers()
     **/
00542     public void setCertPathCheckers(List checkers)
    {
    certPathCheckers = new ArrayList();
    if ( checkers == null )
        return;
    Iterator iter = checkers.iterator();
    while ( iter.hasNext() )
        certPathCheckers.add( (PKIXCertPathChecker)((PKIXCertPathChecker)iter.next()).clone() );
    }

    /**
     * Returns the List of certification path checkers. The
     * returned List is immutable, and each PKIXCertPathChecker in
     * the List is cloned to protect against subsequent
     * modifications.
     *
     * @return an immutable List of PKIXCertPathCheckers (may be empty, but not <code>null</code>)
     *
     * @see #setCertPathCheckers(java.util.List)
     **/
00562     public List getCertPathCheckers()
    {
    List checkers = new ArrayList();
    Iterator iter = certPathCheckers.iterator();
    while ( iter.hasNext() )
    {    
        checkers.add( (PKIXCertPathChecker)((PKIXCertPathChecker)iter.next()).clone() );
    }
    return Collections.unmodifiableList(checkers);
    }

    /**
     * Adds a PKIXCertPathChecker to the list of certification
     * path checkers. See the {@link #setCertPathCheckers} method for more
     * details.<br />
     * <br />
     * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
     * against subsequent modifications.
     *
     * @param checker  a <code>PKIXCertPathChecker</code> to add
     * to the list of checks. If <code>null</code>, the checker is
     * ignored (not added to list).
     **/
00585     public void addCertPathChecker( PKIXCertPathChecker checker )
    {
    if ( checker != null )
    {
        certPathCheckers.add( checker.clone() );
    }
    }

    /**
     * Returns the signature provider's name, or <code>null</code> if not set.
     *
     * @return the signature provider's name (or <code>null</code>)
     *
     * @see #setSigProvider(java.lang.String)
     **/
00600     public String getSigProvider()
    {
    return sigProvider;
    }

    /**
     * Sets the signature provider's name. The specified provider
     * will be preferred when creating Signature objects. If null
     * or not set, the first provider found supporting the
     * algorithm will be used.
     *
     * @param sigProvider the signature provider's name (or <code>null</code>)
     *
     * @see #getSigProvider()
     **/
00615     public void setSigProvider(String sigProvider)
    {
    this.sigProvider = sigProvider;
    }

    /**
     * Returns the required constraints on the target
     * certificate. The constraints are returned as an instance of
     * CertSelector. If <code>null</code>, no constraints are defined.<br />
     * <br />
     * Note that the CertSelector returned is cloned to protect
     * against subsequent modifications.
     *
     * @return a CertSelector specifying the constraints on the target certificate (or <code>null</code>)
     *
     * @see #setTargetCertConstraints(java.security.cert.CertSelector)
     **/
00632     public CertSelector getTargetCertConstraints()
    {
    if ( certSelector == null )
        return null;

    return (CertSelector)certSelector.clone();
    }

    /**
     * Sets the required constraints on the target
     * certificate. The constraints are specified as an instance
     * of CertSelector. If null, no constraints are defined.<br />
     * <br />
     * Note that the CertSelector specified is cloned to protect
     * against subsequent modifications.
     *
     * @param selector  a CertSelector specifying the constraints
     * on the target certificate (or <code>null</code>)
     *
     * @see #getTargetCertConstraints()
     **/
00653     public void setTargetCertConstraints(CertSelector selector)
    {
    if ( selector == null )
        certSelector = null;
    else
        certSelector = (CertSelector)selector.clone();
    }

    /**
     * Makes a copy of this PKIXParameters object. Changes to the
     * copy will not affect the original and vice versa.
     *
     * @return a copy of this <code>PKIXParameters</code> object
     **/
00667     public Object clone()
    {
    try {
        PKIXParameters obj = (PKIXParameters)super.clone();
        obj.certStores = new ArrayList( certStores );
        Iterator iter = certPathCheckers.iterator();
        obj.certPathCheckers = new ArrayList();
        while ( iter.hasNext() )
        {
        obj.certPathCheckers.add( ((PKIXCertPathChecker)iter.next()).clone() );
        }
        if ( initialPolicies != null )
        {
        obj.initialPolicies = new HashSet( initialPolicies );
        }
        if ( trustAnchors != null )
        {
        obj.trustAnchors = new HashSet( trustAnchors );
        }
        if ( certSelector != null )
        {
        obj.certSelector = (CertSelector)certSelector.clone();
        }
        return obj;
    } catch ( CloneNotSupportedException ex ) {
        throw new InternalError();
    }
    }

    /**
     * Returns a formatted string describing the parameters.
     *
     * @return a formatted string describing the parameters.
     **/
00701     public String toString()
    {
    StringBuffer s = new StringBuffer();
    s.append("[\n");
    if ( trustAnchors != null )
    {
        s.append("  Trust Anchors: ").append(trustAnchors).append('\n');
    }
    if ( initialPolicies != null )
    {
        if ( initialPolicies.isEmpty() )
        {
        s.append("  Initial Policy OIDs: any\n" );
        }
        else
        {
        s.append("  Initial Policy OIDs: [").append(initialPolicies).append("]\n");
        }
    }
    s.append("  Validity Date: ");
    if ( date != null )
        s.append(date);
    else
        s.append("null");
    s.append('\n');

    s.append("  Signature Provider: ");
    if ( sigProvider != null )
        s.append(sigProvider);
    else
        s.append("null");
    s.append('\n');

    s.append("  Default Revocation Enabled: ");
    s.append(revocationEnabled);
    s.append('\n' );

    s.append("  Explicit Policy Required: ");
    s.append(explicitPolicyRequired);
    s.append('\n');

    s.append("  Policy Mapping Inhibited: ");
    s.append(policyMappingInhibited);
    s.append('\n');

    s.append("  Any Policy Inhibited: ");
    s.append(anyPolicyInhibited);
    s.append('\n');

    s.append("  Policy Qualifiers Rejected: ");
    s.append(policyQualifiersRejected);
    s.append('\n');

    s.append("  Target Cert Constraints: ");
    s.append(certSelector);
    s.append('\n');

    s.append("  Certification Path Checkers: [");
    s.append(certPathCheckers);
    s.append( "}\n");

    s.append("  CertStores: [");
    s.append(certStores);
    s.append("}\n");

    s.append("]\n");

    return s.toString();
    }
}

Generated by  Doxygen 1.6.0   Back to index