001 /*
002 * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
003 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004 *
005 * This code is free software; you can redistribute it and/or modify it
006 * under the terms of the GNU General Public License version 2 only, as
007 * published by the Free Software Foundation. Sun designates this
008 * particular file as subject to the "Classpath" exception as provided
009 * by Sun in the LICENSE file that accompanied this code.
010 *
011 * This code is distributed in the hope that it will be useful, but WITHOUT
012 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014 * version 2 for more details (a copy is included in the LICENSE file that
015 * accompanied this code).
016 *
017 * You should have received a copy of the GNU General Public License version
018 * 2 along with this work; if not, write to the Free Software Foundation,
019 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020 *
021 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022 * CA 95054 USA or visit www.sun.com if you need additional information or
023 * have any questions.
024 */
025
026 package java.security.cert;
027
028 import java.security.InvalidAlgorithmParameterException;
029 import java.security.KeyStore;
030 import java.security.KeyStoreException;
031 import java.util.ArrayList;
032 import java.util.Collections;
033 import java.util.Date;
034 import java.util.Enumeration;
035 import java.util.HashSet;
036 import java.util.Iterator;
037 import java.util.List;
038 import java.util.Set;
039
040 /**
041 * Parameters used as input for the PKIX <code>CertPathValidator</code>
042 * algorithm.
043 * <p>
044 * A PKIX <code>CertPathValidator</code> uses these parameters to
045 * validate a <code>CertPath</code> according to the PKIX certification path
046 * validation algorithm.
047 *
048 * <p>To instantiate a <code>PKIXParameters</code> object, an
049 * application must specify one or more <i>most-trusted CAs</i> as defined by
050 * the PKIX certification path validation algorithm. The most-trusted CAs
051 * can be specified using one of two constructors. An application
052 * can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
053 * specifying a <code>Set</code> of <code>TrustAnchor</code> objects, each
054 * of which identify a most-trusted CA. Alternatively, an application can call
055 * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
056 * <code>KeyStore</code> instance containing trusted certificate entries, each
057 * of which will be considered as a most-trusted CA.
058 * <p>
059 * Once a <code>PKIXParameters</code> object has been created, other parameters
060 * can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
061 * or {@link #setDate setDate}, for instance) and then the
062 * <code>PKIXParameters</code> is passed along with the <code>CertPath</code>
063 * to be validated to {@link CertPathValidator#validate
064 * CertPathValidator.validate}.
065 * <p>
066 * Any parameter that is not set (or is set to <code>null</code>) will
067 * be set to the default value for that parameter. The default value for the
068 * <code>date</code> parameter is <code>null</code>, which indicates
069 * the current time when the path is validated. The default for the
070 * remaining parameters is the least constrained.
071 * <p>
072 * <b>Concurrent Access</b>
073 * <p>
074 * Unless otherwise specified, the methods defined in this class are not
075 * thread-safe. Multiple threads that need to access a single
076 * object concurrently should synchronize amongst themselves and
077 * provide the necessary locking. Multiple threads each manipulating
078 * separate objects need not synchronize.
079 *
080 * @see CertPathValidator
081 *
082 * @version 1.25 05/05/07
083 * @since 1.4
084 * @author Sean Mullan
085 * @author Yassir Elley
086 */
087 public class PKIXParameters implements CertPathParameters {
088
089 private Set<TrustAnchor> unmodTrustAnchors;
090 private Date date;
091 private List<PKIXCertPathChecker> certPathCheckers;
092 private String sigProvider;
093 private boolean revocationEnabled = true;
094 private Set<String> unmodInitialPolicies;
095 private boolean explicitPolicyRequired = false;
096 private boolean policyMappingInhibited = false;
097 private boolean anyPolicyInhibited = false;
098 private boolean policyQualifiersRejected = true;
099 private List<CertStore> certStores;
100 private CertSelector certSelector;
101
102 /**
103 * Creates an instance of <code>PKIXParameters</code> with the specified
104 * <code>Set</code> of most-trusted CAs. Each element of the
105 * set is a {@link TrustAnchor TrustAnchor}.
106 * <p>
107 * Note that the <code>Set</code> is copied to protect against
108 * subsequent modifications.
109 *
110 * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
111 * @throws InvalidAlgorithmParameterException if the specified
112 * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
113 * @throws NullPointerException if the specified <code>Set</code> is
114 * <code>null</code>
115 * @throws ClassCastException if any of the elements in the <code>Set</code>
116 * are not of type <code>java.security.cert.TrustAnchor</code>
117 */
118 public PKIXParameters(Set<TrustAnchor> trustAnchors)
119 throws InvalidAlgorithmParameterException {
120 setTrustAnchors(trustAnchors);
121
122 this .unmodInitialPolicies = Collections.<String> emptySet();
123 this .certPathCheckers = new ArrayList<PKIXCertPathChecker>();
124 this .certStores = new ArrayList<CertStore>();
125 }
126
127 /**
128 * Creates an instance of <code>PKIXParameters</code> that
129 * populates the set of most-trusted CAs from the trusted
130 * certificate entries contained in the specified <code>KeyStore</code>.
131 * Only keystore entries that contain trusted <code>X509Certificates</code>
132 * are considered; all other certificate types are ignored.
133 *
134 * @param keystore a <code>KeyStore</code> from which the set of
135 * most-trusted CAs will be populated
136 * @throws KeyStoreException if the keystore has not been initialized
137 * @throws InvalidAlgorithmParameterException if the keystore does
138 * not contain at least one trusted certificate entry
139 * @throws NullPointerException if the keystore is <code>null</code>
140 */
141 public PKIXParameters(KeyStore keystore) throws KeyStoreException,
142 InvalidAlgorithmParameterException {
143 if (keystore == null)
144 throw new NullPointerException(
145 "the keystore parameter must be " + "non-null");
146 Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
147 Enumeration<String> aliases = keystore.aliases();
148 while (aliases.hasMoreElements()) {
149 String alias = aliases.nextElement();
150 if (keystore.isCertificateEntry(alias)) {
151 Certificate cert = keystore.getCertificate(alias);
152 if (cert instanceof X509Certificate)
153 hashSet.add(new TrustAnchor((X509Certificate) cert,
154 null));
155 }
156 }
157 setTrustAnchors(hashSet);
158 this .unmodInitialPolicies = Collections.<String> emptySet();
159 this .certPathCheckers = new ArrayList<PKIXCertPathChecker>();
160 this .certStores = new ArrayList<CertStore>();
161 }
162
163 /**
164 * Returns an immutable <code>Set</code> of the most-trusted
165 * CAs.
166 *
167 * @return an immutable <code>Set</code> of <code>TrustAnchor</code>s
168 * (never <code>null</code>)
169 *
170 * @see #setTrustAnchors
171 */
172 public Set<TrustAnchor> getTrustAnchors() {
173 return this .unmodTrustAnchors;
174 }
175
176 /**
177 * Sets the <code>Set</code> of most-trusted CAs.
178 * <p>
179 * Note that the <code>Set</code> is copied to protect against
180 * subsequent modifications.
181 *
182 * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
183 * @throws InvalidAlgorithmParameterException if the specified
184 * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
185 * @throws NullPointerException if the specified <code>Set</code> is
186 * <code>null</code>
187 * @throws ClassCastException if any of the elements in the set
188 * are not of type <code>java.security.cert.TrustAnchor</code>
189 *
190 * @see #getTrustAnchors
191 */
192 public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
193 throws InvalidAlgorithmParameterException {
194 if (trustAnchors == null) {
195 throw new NullPointerException(
196 "the trustAnchors parameters must" + " be non-null");
197 }
198 if (trustAnchors.isEmpty()) {
199 throw new InvalidAlgorithmParameterException(
200 "the trustAnchors " + "parameter must be non-empty");
201 }
202 for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i
203 .hasNext();) {
204 if (!(i.next() instanceof TrustAnchor)) {
205 throw new ClassCastException(
206 "all elements of set must be "
207 + "of type java.security.cert.TrustAnchor");
208 }
209 }
210 this .unmodTrustAnchors = Collections
211 .unmodifiableSet(new HashSet<TrustAnchor>(trustAnchors));
212 }
213
214 /**
215 * Returns an immutable <code>Set</code> of initial
216 * policy identifiers (OID strings), indicating that any one of these
217 * policies would be acceptable to the certificate user for the purposes of
218 * certification path processing. The default return value is an empty
219 * <code>Set</code>, which is interpreted as meaning that any policy would
220 * be acceptable.
221 *
222 * @return an immutable <code>Set</code> of initial policy OIDs in
223 * <code>String</code> format, or an empty <code>Set</code> (implying any
224 * policy is acceptable). Never returns <code>null</code>.
225 *
226 * @see #setInitialPolicies
227 */
228 public Set<String> getInitialPolicies() {
229 return this .unmodInitialPolicies;
230 }
231
232 /**
233 * Sets the <code>Set</code> of initial policy identifiers
234 * (OID strings), indicating that any one of these
235 * policies would be acceptable to the certificate user for the purposes of
236 * certification path processing. By default, any policy is acceptable
237 * (i.e. all policies), so a user that wants to allow any policy as
238 * acceptable does not need to call this method, or can call it
239 * with an empty <code>Set</code> (or <code>null</code>).
240 * <p>
241 * Note that the <code>Set</code> is copied to protect against
242 * subsequent modifications.
243 *
244 * @param initialPolicies a <code>Set</code> of initial policy
245 * OIDs in <code>String</code> format (or <code>null</code>)
246 * @throws ClassCastException if any of the elements in the set are
247 * not of type <code>String</code>
248 *
249 * @see #getInitialPolicies
250 */
251 public void setInitialPolicies(Set<String> initialPolicies) {
252 if (initialPolicies != null) {
253 for (Iterator<String> i = initialPolicies.iterator(); i
254 .hasNext();) {
255 if (!(i.next() instanceof String))
256 throw new ClassCastException(
257 "all elements of set must be "
258 + "of type java.lang.String");
259 }
260 this .unmodInitialPolicies = Collections
261 .unmodifiableSet(new HashSet<String>(
262 initialPolicies));
263 } else
264 this .unmodInitialPolicies = Collections.<String> emptySet();
265 }
266
267 /**
268 * Sets the list of <code>CertStore</code>s to be used in finding
269 * certificates and CRLs. May be <code>null</code>, in which case
270 * no <code>CertStore</code>s will be used. The first
271 * <code>CertStore</code>s in the list may be preferred to those that
272 * appear later.
273 * <p>
274 * Note that the <code>List</code> is copied to protect against
275 * subsequent modifications.
276 *
277 * @param stores a <code>List</code> of <code>CertStore</code>s (or
278 * <code>null</code>)
279 * @throws ClassCastException if any of the elements in the list are
280 * not of type <code>java.security.cert.CertStore</code>
281 *
282 * @see #getCertStores
283 */
284 public void setCertStores(List<CertStore> stores) {
285 if (stores == null) {
286 this .certStores = new ArrayList<CertStore>();
287 } else {
288 for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) {
289 if (!(i.next() instanceof CertStore)) {
290 throw new ClassCastException(
291 "all elements of list must be "
292 + "of type java.security.cert.CertStore");
293 }
294 }
295 this .certStores = new ArrayList<CertStore>(stores);
296 }
297 }
298
299 /**
300 * Adds a <code>CertStore</code> to the end of the list of
301 * <code>CertStore</code>s used in finding certificates and CRLs.
302 *
303 * @param store the <code>CertStore</code> to add. If <code>null</code>,
304 * the store is ignored (not added to list).
305 */
306 public void addCertStore(CertStore store) {
307 if (store != null) {
308 this .certStores.add(store);
309 }
310 }
311
312 /**
313 * Returns an immutable <code>List</code> of <code>CertStore</code>s that
314 * are used to find certificates and CRLs.
315 *
316 * @return an immutable <code>List</code> of <code>CertStore</code>s
317 * (may be empty, but never <code>null</code>)
318 *
319 * @see #setCertStores
320 */
321 public List<CertStore> getCertStores() {
322 return Collections.unmodifiableList(new ArrayList<CertStore>(
323 this .certStores));
324 }
325
326 /**
327 * Sets the RevocationEnabled flag. If this flag is true, the default
328 * revocation checking mechanism of the underlying PKIX service provider
329 * will be used. If this flag is false, the default revocation checking
330 * mechanism will be disabled (not used).
331 * <p>
332 * When a <code>PKIXParameters</code> object is created, this flag is set
333 * to true. This setting reflects the most common strategy for checking
334 * revocation, since each service provider must support revocation
335 * checking to be PKIX compliant. Sophisticated applications should set
336 * this flag to false when it is not practical to use a PKIX service
337 * provider's default revocation checking mechanism or when an alternative
338 * revocation checking mechanism is to be substituted (by also calling the
339 * {@link #addCertPathChecker addCertPathChecker} or {@link
340 * #setCertPathCheckers setCertPathCheckers} methods).
341 *
342 * @param val the new value of the RevocationEnabled flag
343 */
344 public void setRevocationEnabled(boolean val) {
345 revocationEnabled = val;
346 }
347
348 /**
349 * Checks the RevocationEnabled flag. If this flag is true, the default
350 * revocation checking mechanism of the underlying PKIX service provider
351 * will be used. If this flag is false, the default revocation checking
352 * mechanism will be disabled (not used). See the {@link
353 * #setRevocationEnabled setRevocationEnabled} method for more details on
354 * setting the value of this flag.
355 *
356 * @return the current value of the RevocationEnabled flag
357 */
358 public boolean isRevocationEnabled() {
359 return revocationEnabled;
360 }
361
362 /**
363 * Sets the ExplicitPolicyRequired flag. If this flag is true, an
364 * acceptable policy needs to be explicitly identified in every certificate.
365 * By default, the ExplicitPolicyRequired flag is false.
366 *
367 * @param val <code>true</code> if explicit policy is to be required,
368 * <code>false</code> otherwise
369 */
370 public void setExplicitPolicyRequired(boolean val) {
371 explicitPolicyRequired = val;
372 }
373
374 /**
375 * Checks if explicit policy is required. If this flag is true, an
376 * acceptable policy needs to be explicitly identified in every certificate.
377 * By default, the ExplicitPolicyRequired flag is false.
378 *
379 * @return <code>true</code> if explicit policy is required,
380 * <code>false</code> otherwise
381 */
382 public boolean isExplicitPolicyRequired() {
383 return explicitPolicyRequired;
384 }
385
386 /**
387 * Sets the PolicyMappingInhibited flag. If this flag is true, policy
388 * mapping is inhibited. By default, policy mapping is not inhibited (the
389 * flag is false).
390 *
391 * @param val <code>true</code> if policy mapping is to be inhibited,
392 * <code>false</code> otherwise
393 */
394 public void setPolicyMappingInhibited(boolean val) {
395 policyMappingInhibited = val;
396 }
397
398 /**
399 * Checks if policy mapping is inhibited. If this flag is true, policy
400 * mapping is inhibited. By default, policy mapping is not inhibited (the
401 * flag is false).
402 *
403 * @return true if policy mapping is inhibited, false otherwise
404 */
405 public boolean isPolicyMappingInhibited() {
406 return policyMappingInhibited;
407 }
408
409 /**
410 * Sets state to determine if the any policy OID should be processed
411 * if it is included in a certificate. By default, the any policy OID
412 * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
413 * returns <code>false</code>).
414 *
415 * @param val <code>true</code> if the any policy OID is to be
416 * inhibited, <code>false</code> otherwise
417 */
418 public void setAnyPolicyInhibited(boolean val) {
419 anyPolicyInhibited = val;
420 }
421
422 /**
423 * Checks whether the any policy OID should be processed if it
424 * is included in a certificate.
425 *
426 * @return <code>true</code> if the any policy OID is inhibited,
427 * <code>false</code> otherwise
428 */
429 public boolean isAnyPolicyInhibited() {
430 return anyPolicyInhibited;
431 }
432
433 /**
434 * Sets the PolicyQualifiersRejected flag. If this flag is true,
435 * certificates that include policy qualifiers in a certificate
436 * policies extension that is marked critical are rejected.
437 * If the flag is false, certificates are not rejected on this basis.
438 *
439 * <p> When a <code>PKIXParameters</code> object is created, this flag is
440 * set to true. This setting reflects the most common (and simplest)
441 * strategy for processing policy qualifiers. Applications that want to use
442 * a more sophisticated policy must set this flag to false.
443 * <p>
444 * Note that the PKIX certification path validation algorithm specifies
445 * that any policy qualifier in a certificate policies extension that is
446 * marked critical must be processed and validated. Otherwise the
447 * certification path must be rejected. If the policyQualifiersRejected flag
448 * is set to false, it is up to the application to validate all policy
449 * qualifiers in this manner in order to be PKIX compliant.
450 *
451 * @param qualifiersRejected the new value of the PolicyQualifiersRejected
452 * flag
453 * @see #getPolicyQualifiersRejected
454 * @see PolicyQualifierInfo
455 */
456 public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
457 policyQualifiersRejected = qualifiersRejected;
458 }
459
460 /**
461 * Gets the PolicyQualifiersRejected flag. If this flag is true,
462 * certificates that include policy qualifiers in a certificate policies
463 * extension that is marked critical are rejected.
464 * If the flag is false, certificates are not rejected on this basis.
465 *
466 * <p> When a <code>PKIXParameters</code> object is created, this flag is
467 * set to true. This setting reflects the most common (and simplest)
468 * strategy for processing policy qualifiers. Applications that want to use
469 * a more sophisticated policy must set this flag to false.
470 *
471 * @return the current value of the PolicyQualifiersRejected flag
472 * @see #setPolicyQualifiersRejected
473 */
474 public boolean getPolicyQualifiersRejected() {
475 return policyQualifiersRejected;
476 }
477
478 /**
479 * Returns the time for which the validity of the certification path
480 * should be determined. If <code>null</code>, the current time is used.
481 * <p>
482 * Note that the <code>Date</code> returned is copied to protect against
483 * subsequent modifications.
484 *
485 * @return the <code>Date</code>, or <code>null</code> if not set
486 * @see #setDate
487 */
488 public Date getDate() {
489 if (date == null)
490 return null;
491 else
492 return (Date) this .date.clone();
493 }
494
495 /**
496 * Sets the time for which the validity of the certification path
497 * should be determined. If <code>null</code>, the current time is used.
498 * <p>
499 * Note that the <code>Date</code> supplied here is copied to protect
500 * against subsequent modifications.
501 *
502 * @param date the <code>Date</code>, or <code>null</code> for the
503 * current time
504 * @see #getDate
505 */
506 public void setDate(Date date) {
507 if (date != null)
508 this .date = (Date) date.clone();
509 else
510 date = null;
511 }
512
513 /**
514 * Sets a <code>List</code> of additional certification path checkers. If
515 * the specified <code>List</code> contains an object that is not a
516 * <code>PKIXCertPathChecker</code>, it is ignored.
517 * <p>
518 * Each <code>PKIXCertPathChecker</code> specified implements
519 * additional checks on a certificate. Typically, these are checks to
520 * process and verify private extensions contained in certificates.
521 * Each <code>PKIXCertPathChecker</code> should be instantiated with any
522 * initialization parameters needed to execute the check.
523 * <p>
524 * This method allows sophisticated applications to extend a PKIX
525 * <code>CertPathValidator</code> or <code>CertPathBuilder</code>.
526 * Each of the specified <code>PKIXCertPathChecker</code>s will be called,
527 * in turn, by a PKIX <code>CertPathValidator</code> or
528 * <code>CertPathBuilder</code> for each certificate processed or
529 * validated.
530 * <p>
531 * Regardless of whether these additional <code>PKIXCertPathChecker</code>s
532 * are set, a PKIX <code>CertPathValidator</code> or
533 * <code>CertPathBuilder</code> must perform all of the required PKIX
534 * checks on each certificate. The one exception to this rule is if the
535 * RevocationEnabled flag is set to false (see the {@link
536 * #setRevocationEnabled setRevocationEnabled} method).
537 * <p>
538 * Note that the <code>List</code> supplied here is copied and each
539 * <code>PKIXCertPathChecker</code> in the list is cloned to protect
540 * against subsequent modifications.
541 *
542 * @param checkers a <code>List</code> of <code>PKIXCertPathChecker</code>s.
543 * May be <code>null</code>, in which case no additional checkers will be
544 * used.
545 * @throws ClassCastException if any of the elements in the list
546 * are not of type <code>java.security.cert.PKIXCertPathChecker</code>
547 * @see #getCertPathCheckers
548 */
549 public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
550 if (checkers != null) {
551 List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
552 for (PKIXCertPathChecker checker : checkers) {
553 tmpList.add((PKIXCertPathChecker) checker.clone());
554 }
555 this .certPathCheckers = tmpList;
556 } else {
557 this .certPathCheckers = new ArrayList<PKIXCertPathChecker>();
558 }
559 }
560
561 /**
562 * Returns the <code>List</code> of certification path checkers.
563 * The returned <code>List</code> is immutable, and each
564 * <code>PKIXCertPathChecker</code> in the <code>List</code> is cloned
565 * to protect against subsequent modifications.
566 *
567 * @return an immutable <code>List</code> of
568 * <code>PKIXCertPathChecker</code>s (may be empty, but not
569 * <code>null</code>)
570 * @see #setCertPathCheckers
571 */
572 public List<PKIXCertPathChecker> getCertPathCheckers() {
573 List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
574 for (PKIXCertPathChecker ck : certPathCheckers) {
575 tmpList.add((PKIXCertPathChecker) ck.clone());
576 }
577 return Collections.unmodifiableList(tmpList);
578 }
579
580 /**
581 * Adds a <code>PKIXCertPathChecker</code> to the list of certification
582 * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
583 * method for more details.
584 * <p>
585 * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
586 * against subsequent modifications.
587 *
588 * @param checker a <code>PKIXCertPathChecker</code> to add to the list of
589 * checks. If <code>null</code>, the checker is ignored (not added to list).
590 */
591 public void addCertPathChecker(PKIXCertPathChecker checker) {
592 if (checker != null) {
593 certPathCheckers.add((PKIXCertPathChecker) checker.clone());
594 }
595 }
596
597 /**
598 * Returns the signature provider's name, or <code>null</code>
599 * if not set.
600 *
601 * @return the signature provider's name (or <code>null</code>)
602 * @see #setSigProvider
603 */
604 public String getSigProvider() {
605 return this .sigProvider;
606 }
607
608 /**
609 * Sets the signature provider's name. The specified provider will be
610 * preferred when creating {@link java.security.Signature Signature}
611 * objects. If <code>null</code> or not set, the first provider found
612 * supporting the algorithm will be used.
613 *
614 * @param sigProvider the signature provider's name (or <code>null</code>)
615 * @see #getSigProvider
616 */
617 public void setSigProvider(String sigProvider) {
618 this .sigProvider = sigProvider;
619 }
620
621 /**
622 * Returns the required constraints on the target certificate.
623 * The constraints are returned as an instance of <code>CertSelector</code>.
624 * If <code>null</code>, no constraints are defined.
625 *
626 * <p>Note that the <code>CertSelector</code> returned is cloned
627 * to protect against subsequent modifications.
628 *
629 * @return a <code>CertSelector</code> specifying the constraints
630 * on the target certificate (or <code>null</code>)
631 * @see #setTargetCertConstraints
632 */
633 public CertSelector getTargetCertConstraints() {
634 if (certSelector != null) {
635 return (CertSelector) certSelector.clone();
636 } else {
637 return null;
638 }
639 }
640
641 /**
642 * Sets the required constraints on the target certificate.
643 * The constraints are specified as an instance of
644 * <code>CertSelector</code>. If <code>null</code>, no constraints are
645 * defined.
646 *
647 * <p>Note that the <code>CertSelector</code> specified is cloned
648 * to protect against subsequent modifications.
649 *
650 * @param selector a <code>CertSelector</code> specifying the constraints
651 * on the target certificate (or <code>null</code>)
652 * @see #getTargetCertConstraints
653 */
654 public void setTargetCertConstraints(CertSelector selector) {
655 if (selector != null)
656 certSelector = (CertSelector) selector.clone();
657 else
658 certSelector = null;
659 }
660
661 /**
662 * Makes a copy of this <code>PKIXParameters</code> object. Changes
663 * to the copy will not affect the original and vice versa.
664 *
665 * @return a copy of this <code>PKIXParameters</code> object
666 */
667 public Object clone() {
668 try {
669 Object copy = super .clone();
670 // Must clone these because addCertStore, et al. modify them
671 if (certStores != null) {
672 certStores = new ArrayList<CertStore>(certStores);
673 }
674 if (certPathCheckers != null) {
675 certPathCheckers = new ArrayList<PKIXCertPathChecker>(
676 certPathCheckers);
677 }
678 return copy;
679 } catch (CloneNotSupportedException e) {
680 /* Cannot happen */
681 throw new InternalError(e.toString());
682 }
683 }
684
685 /**
686 * Returns a formatted string describing the parameters.
687 *
688 * @return a formatted string describing the parameters.
689 */
690 public String toString() {
691 StringBuffer sb = new StringBuffer();
692 sb.append("[\n");
693
694 /* start with trusted anchor info */
695 if (unmodTrustAnchors != null) {
696 sb.append(" Trust Anchors: "
697 + unmodTrustAnchors.toString() + "\n");
698 }
699
700 /* now, append initial state information */
701 if (unmodInitialPolicies != null) {
702 if (unmodInitialPolicies.isEmpty()) {
703 sb.append(" Initial Policy OIDs: any\n");
704 } else {
705 sb.append(" Initial Policy OIDs: ["
706 + unmodInitialPolicies.toString() + "]\n");
707 }
708 }
709
710 /* now, append constraints on all certificates in the path */
711 sb.append(" Validity Date: " + String.valueOf(date) + "\n");
712 sb.append(" Signature Provider: "
713 + String.valueOf(sigProvider) + "\n");
714 sb.append(" Default Revocation Enabled: " + revocationEnabled
715 + "\n");
716 sb.append(" Explicit Policy Required: "
717 + explicitPolicyRequired + "\n");
718 sb.append(" Policy Mapping Inhibited: "
719 + policyMappingInhibited + "\n");
720 sb.append(" Any Policy Inhibited: " + anyPolicyInhibited
721 + "\n");
722 sb.append(" Policy Qualifiers Rejected: "
723 + policyQualifiersRejected + "\n");
724
725 /* now, append target cert requirements */
726 sb.append(" Target Cert Constraints: "
727 + String.valueOf(certSelector) + "\n");
728
729 /* finally, append miscellaneous parameters */
730 if (certPathCheckers != null)
731 sb.append(" Certification Path Checkers: ["
732 + certPathCheckers.toString() + "]\n");
733 if (certStores != null)
734 sb
735 .append(" CertStores: [" + certStores.toString()
736 + "]\n");
737 sb.append("]");
738 return sb.toString();
739 }
740 }
|