1 /*
2 * Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Sun designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Sun in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
22 * CA 95054 USA or visit www.sun.com if you need additional information or
23 * have any questions.
24 */
25
26 package java.security.cert;
27
28 import java.security.InvalidAlgorithmParameterException;
29 import java.security.KeyStore;
30 import java.security.KeyStoreException;
31 import java.util.ArrayList;
32 import java.util.Collections;
33 import java.util.Date;
34 import java.util.Enumeration;
35 import java.util.HashSet;
36 import java.util.Iterator;
37 import java.util.List;
38 import java.util.Set;
39
40 /**
41 * Parameters used as input for the PKIX <code>CertPathValidator</code>
42 * algorithm.
43 * <p>
44 * A PKIX <code>CertPathValidator</code> uses these parameters to
45 * validate a <code>CertPath</code> according to the PKIX certification path
46 * validation algorithm.
47 *
48 * <p>To instantiate a <code>PKIXParameters</code> object, an
49 * application must specify one or more <i>most-trusted CAs</i> as defined by
50 * the PKIX certification path validation algorithm. The most-trusted CAs
51 * can be specified using one of two constructors. An application
52 * can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
53 * specifying a <code>Set</code> of <code>TrustAnchor</code> objects, each
54 * of which identify a most-trusted CA. Alternatively, an application can call
55 * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
56 * <code>KeyStore</code> instance containing trusted certificate entries, each
57 * of which will be considered as a most-trusted CA.
58 * <p>
59 * Once a <code>PKIXParameters</code> object has been created, other parameters
60 * can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
61 * or {@link #setDate setDate}, for instance) and then the
62 * <code>PKIXParameters</code> is passed along with the <code>CertPath</code>
63 * to be validated to {@link CertPathValidator#validate
64 * CertPathValidator.validate}.
65 * <p>
66 * Any parameter that is not set (or is set to <code>null</code>) will
67 * be set to the default value for that parameter. The default value for the
68 * <code>date</code> parameter is <code>null</code>, which indicates
69 * the current time when the path is validated. The default for the
70 * remaining parameters is the least constrained.
71 * <p>
72 * <b>Concurrent Access</b>
73 * <p>
74 * Unless otherwise specified, the methods defined in this class are not
75 * thread-safe. Multiple threads that need to access a single
76 * object concurrently should synchronize amongst themselves and
77 * provide the necessary locking. Multiple threads each manipulating
78 * separate objects need not synchronize.
79 *
80 * @see CertPathValidator
81 *
82 * @since 1.4
83 * @author Sean Mullan
84 * @author Yassir Elley
85 */
86 public class PKIXParameters implements CertPathParameters {
87
88 private Set<TrustAnchor> unmodTrustAnchors;
89 private Date date;
90 private List<PKIXCertPathChecker> certPathCheckers;
91 private String sigProvider;
92 private boolean revocationEnabled = true;
93 private Set<String> unmodInitialPolicies;
94 private boolean explicitPolicyRequired = false;
95 private boolean policyMappingInhibited = false;
96 private boolean anyPolicyInhibited = false;
97 private boolean policyQualifiersRejected = true;
98 private List<CertStore> certStores;
99 private CertSelector certSelector;
100
101 /**
102 * Creates an instance of <code>PKIXParameters</code> with the specified
103 * <code>Set</code> of most-trusted CAs. Each element of the
104 * set is a {@link TrustAnchor TrustAnchor}.
105 * <p>
106 * Note that the <code>Set</code> is copied to protect against
107 * subsequent modifications.
108 *
109 * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
110 * @throws InvalidAlgorithmParameterException if the specified
111 * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
112 * @throws NullPointerException if the specified <code>Set</code> is
113 * <code>null</code>
114 * @throws ClassCastException if any of the elements in the <code>Set</code>
115 * are not of type <code>java.security.cert.TrustAnchor</code>
116 */
117 public PKIXParameters(Set<TrustAnchor> trustAnchors)
118 throws InvalidAlgorithmParameterException
119 {
120 setTrustAnchors(trustAnchors);
121
122 this.unmodInitialPolicies = Collections.<String>emptySet();
123 this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
124 this.certStores = new ArrayList<CertStore>();
125 }
126
127 /**
128 * Creates an instance of <code>PKIXParameters</code> that
129 * populates the set of most-trusted CAs from the trusted
130 * certificate entries contained in the specified <code>KeyStore</code>.
131 * Only keystore entries that contain trusted <code>X509Certificates</code>
132 * are considered; all other certificate types are ignored.
133 *
134 * @param keystore a <code>KeyStore</code> from which the set of
135 * most-trusted CAs will be populated
136 * @throws KeyStoreException if the keystore has not been initialized
137 * @throws InvalidAlgorithmParameterException if the keystore does
138 * not contain at least one trusted certificate entry
139 * @throws NullPointerException if the keystore is <code>null</code>
140 */
141 public PKIXParameters(KeyStore keystore)
142 throws KeyStoreException, InvalidAlgorithmParameterException
143 {
144 if (keystore == null)
145 throw new NullPointerException("the keystore parameter must be " +
146 "non-null");
147 Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
148 Enumeration<String> aliases = keystore.aliases();
149 while (aliases.hasMoreElements()) {
150 String alias = aliases.nextElement();
151 if (keystore.isCertificateEntry(alias)) {
152 Certificate cert = keystore.getCertificate(alias);
153 if (cert instanceof X509Certificate)
154 hashSet.add(new TrustAnchor((X509Certificate)cert, null));
155 }
156 }
157 setTrustAnchors(hashSet);
158 this.unmodInitialPolicies = Collections.<String>emptySet();
159 this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
160 this.certStores = new ArrayList<CertStore>();
161 }
162
163 /**
164 * Returns an immutable <code>Set</code> of the most-trusted
165 * CAs.
166 *
167 * @return an immutable <code>Set</code> of <code>TrustAnchor</code>s
168 * (never <code>null</code>)
169 *
170 * @see #setTrustAnchors
171 */
172 public Set<TrustAnchor> getTrustAnchors() {
173 return this.unmodTrustAnchors;
174 }
175
176 /**
177 * Sets the <code>Set</code> of most-trusted CAs.
178 * <p>
179 * Note that the <code>Set</code> is copied to protect against
180 * subsequent modifications.
181 *
182 * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
183 * @throws InvalidAlgorithmParameterException if the specified
184 * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
185 * @throws NullPointerException if the specified <code>Set</code> is
186 * <code>null</code>
187 * @throws ClassCastException if any of the elements in the set
188 * are not of type <code>java.security.cert.TrustAnchor</code>
189 *
190 * @see #getTrustAnchors
191 */
192 public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
193 throws InvalidAlgorithmParameterException
194 {
195 if (trustAnchors == null) {
196 throw new NullPointerException("the trustAnchors parameters must" +
197 " be non-null");
198 }
199 if (trustAnchors.isEmpty()) {
200 throw new InvalidAlgorithmParameterException("the trustAnchors " +
201 "parameter must be non-empty");
202 }
203 for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) {
204 if (!(i.next() instanceof TrustAnchor)) {
205 throw new ClassCastException("all elements of set must be "
206 + "of type java.security.cert.TrustAnchor");
207 }
208 }
209 this.unmodTrustAnchors = Collections.unmodifiableSet
210 (new HashSet<TrustAnchor>(trustAnchors));
211 }
212
213 /**
214 * Returns an immutable <code>Set</code> of initial
215 * policy identifiers (OID strings), indicating that any one of these
216 * policies would be acceptable to the certificate user for the purposes of
217 * certification path processing. The default return value is an empty
218 * <code>Set</code>, which is interpreted as meaning that any policy would
219 * be acceptable.
220 *
221 * @return an immutable <code>Set</code> of initial policy OIDs in
222 * <code>String</code> format, or an empty <code>Set</code> (implying any
223 * policy is acceptable). Never returns <code>null</code>.
224 *
225 * @see #setInitialPolicies
226 */
227 public Set<String> getInitialPolicies() {
228 return this.unmodInitialPolicies;
229 }
230
231 /**
232 * Sets the <code>Set</code> of initial policy identifiers
233 * (OID strings), indicating that any one of these
234 * policies would be acceptable to the certificate user for the purposes of
235 * certification path processing. By default, any policy is acceptable
236 * (i.e. all policies), so a user that wants to allow any policy as
237 * acceptable does not need to call this method, or can call it
238 * with an empty <code>Set</code> (or <code>null</code>).
239 * <p>
240 * Note that the <code>Set</code> is copied to protect against
241 * subsequent modifications.
242 *
243 * @param initialPolicies a <code>Set</code> of initial policy
244 * OIDs in <code>String</code> format (or <code>null</code>)
245 * @throws ClassCastException if any of the elements in the set are
246 * not of type <code>String</code>
247 *
248 * @see #getInitialPolicies
249 */
250 public void setInitialPolicies(Set<String> initialPolicies) {
251 if (initialPolicies != null) {
252 for (Iterator<String> i = initialPolicies.iterator();
253 i.hasNext();) {
254 if (!(i.next() instanceof String))
255 throw new ClassCastException("all elements of set must be "
256 + "of type java.lang.String");
257 }
258 this.unmodInitialPolicies =
259 Collections.unmodifiableSet(new HashSet<String>(initialPolicies));
260 } else
261 this.unmodInitialPolicies = Collections.<String>emptySet();
262 }
263
264 /**
265 * Sets the list of <code>CertStore</code>s to be used in finding
266 * certificates and CRLs. May be <code>null</code>, in which case
267 * no <code>CertStore</code>s will be used. The first
268 * <code>CertStore</code>s in the list may be preferred to those that
269 * appear later.
270 * <p>
271 * Note that the <code>List</code> is copied to protect against
272 * subsequent modifications.
273 *
274 * @param stores a <code>List</code> of <code>CertStore</code>s (or
275 * <code>null</code>)
276 * @throws ClassCastException if any of the elements in the list are
277 * not of type <code>java.security.cert.CertStore</code>
278 *
279 * @see #getCertStores
280 */
281 public void setCertStores(List<CertStore> stores) {
282 if (stores == null) {
283 this.certStores = new ArrayList<CertStore>();
284 } else {
285 for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) {
286 if (!(i.next() instanceof CertStore)) {
287 throw new ClassCastException("all elements of list must be "
288 + "of type java.security.cert.CertStore");
289 }
290 }
291 this.certStores = new ArrayList<CertStore>(stores);
292 }
293 }
294
295 /**
296 * Adds a <code>CertStore</code> to the end of the list of
297 * <code>CertStore</code>s used in finding certificates and CRLs.
298 *
299 * @param store the <code>CertStore</code> to add. If <code>null</code>,
300 * the store is ignored (not added to list).
301 */
302 public void addCertStore(CertStore store) {
303 if (store != null) {
304 this.certStores.add(store);
305 }
306 }
307
308 /**
309 * Returns an immutable <code>List</code> of <code>CertStore</code>s that
310 * are used to find certificates and CRLs.
311 *
312 * @return an immutable <code>List</code> of <code>CertStore</code>s
313 * (may be empty, but never <code>null</code>)
314 *
315 * @see #setCertStores
316 */
317 public List<CertStore> getCertStores() {
318 return Collections.unmodifiableList
319 (new ArrayList<CertStore>(this.certStores));
320 }
321
322 /**
323 * Sets the RevocationEnabled flag. If this flag is true, the default
324 * revocation checking mechanism of the underlying PKIX service provider
325 * will be used. If this flag is false, the default revocation checking
326 * mechanism will be disabled (not used).
327 * <p>
328 * When a <code>PKIXParameters</code> object is created, this flag is set
329 * to true. This setting reflects the most common strategy for checking
330 * revocation, since each service provider must support revocation
331 * checking to be PKIX compliant. Sophisticated applications should set
332 * this flag to false when it is not practical to use a PKIX service
333 * provider's default revocation checking mechanism or when an alternative
334 * revocation checking mechanism is to be substituted (by also calling the
335 * {@link #addCertPathChecker addCertPathChecker} or {@link
336 * #setCertPathCheckers setCertPathCheckers} methods).
337 *
338 * @param val the new value of the RevocationEnabled flag
339 */
340 public void setRevocationEnabled(boolean val) {
341 revocationEnabled = val;
342 }
343
344 /**
345 * Checks the RevocationEnabled flag. If this flag is true, the default
346 * revocation checking mechanism of the underlying PKIX service provider
347 * will be used. If this flag is false, the default revocation checking
348 * mechanism will be disabled (not used). See the {@link
349 * #setRevocationEnabled setRevocationEnabled} method for more details on
350 * setting the value of this flag.
351 *
352 * @return the current value of the RevocationEnabled flag
353 */
354 public boolean isRevocationEnabled() {
355 return revocationEnabled;
356 }
357
358 /**
359 * Sets the ExplicitPolicyRequired flag. If this flag is true, an
360 * acceptable policy needs to be explicitly identified in every certificate.
361 * By default, the ExplicitPolicyRequired flag is false.
362 *
363 * @param val <code>true</code> if explicit policy is to be required,
364 * <code>false</code> otherwise
365 */
366 public void setExplicitPolicyRequired(boolean val) {
367 explicitPolicyRequired = val;
368 }
369
370 /**
371 * Checks if explicit policy is required. If this flag is true, an
372 * acceptable policy needs to be explicitly identified in every certificate.
373 * By default, the ExplicitPolicyRequired flag is false.
374 *
375 * @return <code>true</code> if explicit policy is required,
376 * <code>false</code> otherwise
377 */
378 public boolean isExplicitPolicyRequired() {
379 return explicitPolicyRequired;
380 }
381
382 /**
383 * Sets the PolicyMappingInhibited flag. If this flag is true, policy
384 * mapping is inhibited. By default, policy mapping is not inhibited (the
385 * flag is false).
386 *
387 * @param val <code>true</code> if policy mapping is to be inhibited,
388 * <code>false</code> otherwise
389 */
390 public void setPolicyMappingInhibited(boolean val) {
391 policyMappingInhibited = val;
392 }
393
394 /**
395 * Checks if policy mapping is inhibited. If this flag is true, policy
396 * mapping is inhibited. By default, policy mapping is not inhibited (the
397 * flag is false).
398 *
399 * @return true if policy mapping is inhibited, false otherwise
400 */
401 public boolean isPolicyMappingInhibited() {
402 return policyMappingInhibited;
403 }
404
405 /**
406 * Sets state to determine if the any policy OID should be processed
407 * if it is included in a certificate. By default, the any policy OID
408 * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
409 * returns <code>false</code>).
410 *
411 * @param val <code>true</code> if the any policy OID is to be
412 * inhibited, <code>false</code> otherwise
413 */
414 public void setAnyPolicyInhibited(boolean val) {
415 anyPolicyInhibited = val;
416 }
417
418 /**
419 * Checks whether the any policy OID should be processed if it
420 * is included in a certificate.
421 *
422 * @return <code>true</code> if the any policy OID is inhibited,
423 * <code>false</code> otherwise
424 */
425 public boolean isAnyPolicyInhibited() {
426 return anyPolicyInhibited;
427 }
428
429 /**
430 * Sets the PolicyQualifiersRejected flag. If this flag is true,
431 * certificates that include policy qualifiers in a certificate
432 * policies extension that is marked critical are rejected.
433 * If the flag is false, certificates are not rejected on this basis.
434 *
435 * <p> When a <code>PKIXParameters</code> object is created, this flag is
436 * set to true. This setting reflects the most common (and simplest)
437 * strategy for processing policy qualifiers. Applications that want to use
438 * a more sophisticated policy must set this flag to false.
439 * <p>
440 * Note that the PKIX certification path validation algorithm specifies
441 * that any policy qualifier in a certificate policies extension that is
442 * marked critical must be processed and validated. Otherwise the
443 * certification path must be rejected. If the policyQualifiersRejected flag
444 * is set to false, it is up to the application to validate all policy
445 * qualifiers in this manner in order to be PKIX compliant.
446 *
447 * @param qualifiersRejected the new value of the PolicyQualifiersRejected
448 * flag
449 * @see #getPolicyQualifiersRejected
450 * @see PolicyQualifierInfo
451 */
452 public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
453 policyQualifiersRejected = qualifiersRejected;
454 }
455
456 /**
457 * Gets the PolicyQualifiersRejected flag. If this flag is true,
458 * certificates that include policy qualifiers in a certificate policies
459 * extension that is marked critical are rejected.
460 * If the flag is false, certificates are not rejected on this basis.
461 *
462 * <p> When a <code>PKIXParameters</code> object is created, this flag is
463 * set to true. This setting reflects the most common (and simplest)
464 * strategy for processing policy qualifiers. Applications that want to use
465 * a more sophisticated policy must set this flag to false.
466 *
467 * @return the current value of the PolicyQualifiersRejected flag
468 * @see #setPolicyQualifiersRejected
469 */
470 public boolean getPolicyQualifiersRejected() {
471 return policyQualifiersRejected;
472 }
473
474 /**
475 * Returns the time for which the validity of the certification path
476 * should be determined. If <code>null</code>, the current time is used.
477 * <p>
478 * Note that the <code>Date</code> returned is copied to protect against
479 * subsequent modifications.
480 *
481 * @return the <code>Date</code>, or <code>null</code> if not set
482 * @see #setDate
483 */
484 public Date getDate() {
485 if (date == null)
486 return null;
487 else
488 return (Date) this.date.clone();
489 }
490
491 /**
492 * Sets the time for which the validity of the certification path
493 * should be determined. If <code>null</code>, the current time is used.
494 * <p>
495 * Note that the <code>Date</code> supplied here is copied to protect
496 * against subsequent modifications.
497 *
498 * @param date the <code>Date</code>, or <code>null</code> for the
499 * current time
500 * @see #getDate
501 */
502 public void setDate(Date date) {
503 if (date != null)
504 this.date = (Date) date.clone();
505 else
506 date = null;
507 }
508
509 /**
510 * Sets a <code>List</code> of additional certification path checkers. If
511 * the specified <code>List</code> contains an object that is not a
512 * <code>PKIXCertPathChecker</code>, it is ignored.
513 * <p>
514 * Each <code>PKIXCertPathChecker</code> specified implements
515 * additional checks on a certificate. Typically, these are checks to
516 * process and verify private extensions contained in certificates.
517 * Each <code>PKIXCertPathChecker</code> should be instantiated with any
518 * initialization parameters needed to execute the check.
519 * <p>
520 * This method allows sophisticated applications to extend a PKIX
521 * <code>CertPathValidator</code> or <code>CertPathBuilder</code>.
522 * Each of the specified <code>PKIXCertPathChecker</code>s will be called,
523 * in turn, by a PKIX <code>CertPathValidator</code> or
524 * <code>CertPathBuilder</code> for each certificate processed or
525 * validated.
526 * <p>
527 * Regardless of whether these additional <code>PKIXCertPathChecker</code>s
528 * are set, a PKIX <code>CertPathValidator</code> or
529 * <code>CertPathBuilder</code> must perform all of the required PKIX
530 * checks on each certificate. The one exception to this rule is if the
531 * RevocationEnabled flag is set to false (see the {@link
532 * #setRevocationEnabled setRevocationEnabled} method).
533 * <p>
534 * Note that the <code>List</code> supplied here is copied and each
535 * <code>PKIXCertPathChecker</code> in the list is cloned to protect
536 * against subsequent modifications.
537 *
538 * @param checkers a <code>List</code> of <code>PKIXCertPathChecker</code>s.
539 * May be <code>null</code>, in which case no additional checkers will be
540 * used.
541 * @throws ClassCastException if any of the elements in the list
542 * are not of type <code>java.security.cert.PKIXCertPathChecker</code>
543 * @see #getCertPathCheckers
544 */
545 public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
546 if (checkers != null) {
547 List<PKIXCertPathChecker> tmpList =
548 new ArrayList<PKIXCertPathChecker>();
549 for (PKIXCertPathChecker checker : checkers) {
550 tmpList.add((PKIXCertPathChecker)checker.clone());
551 }
552 this.certPathCheckers = tmpList;
553 } else {
554 this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
555 }
556 }
557
558 /**
559 * Returns the <code>List</code> of certification path checkers.
560 * The returned <code>List</code> is immutable, and each
561 * <code>PKIXCertPathChecker</code> in the <code>List</code> is cloned
562 * to protect against subsequent modifications.
563 *
564 * @return an immutable <code>List</code> of
565 * <code>PKIXCertPathChecker</code>s (may be empty, but not
566 * <code>null</code>)
567 * @see #setCertPathCheckers
568 */
569 public List<PKIXCertPathChecker> getCertPathCheckers() {
570 List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
571 for (PKIXCertPathChecker ck : certPathCheckers) {
572 tmpList.add((PKIXCertPathChecker)ck.clone());
573 }
574 return Collections.unmodifiableList(tmpList);
575 }
576
577 /**
578 * Adds a <code>PKIXCertPathChecker</code> to the list of certification
579 * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
580 * method for more details.
581 * <p>
582 * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
583 * against subsequent modifications.
584 *
585 * @param checker a <code>PKIXCertPathChecker</code> to add to the list of
586 * checks. If <code>null</code>, the checker is ignored (not added to list).
587 */
588 public void addCertPathChecker(PKIXCertPathChecker checker) {
589 if (checker != null) {
590 certPathCheckers.add((PKIXCertPathChecker)checker.clone());
591 }
592 }
593
594 /**
595 * Returns the signature provider's name, or <code>null</code>
596 * if not set.
597 *
598 * @return the signature provider's name (or <code>null</code>)
599 * @see #setSigProvider
600 */
601 public String getSigProvider() {
602 return this.sigProvider;
603 }
604
605 /**
606 * Sets the signature provider's name. The specified provider will be
607 * preferred when creating {@link java.security.Signature Signature}
608 * objects. If <code>null</code> or not set, the first provider found
609 * supporting the algorithm will be used.
610 *
611 * @param sigProvider the signature provider's name (or <code>null</code>)
612 * @see #getSigProvider
613 */
614 public void setSigProvider(String sigProvider) {
615 this.sigProvider = sigProvider;
616 }
617
618 /**
619 * Returns the required constraints on the target certificate.
620 * The constraints are returned as an instance of <code>CertSelector</code>.
621 * If <code>null</code>, no constraints are defined.
622 *
623 * <p>Note that the <code>CertSelector</code> returned is cloned
624 * to protect against subsequent modifications.
625 *
626 * @return a <code>CertSelector</code> specifying the constraints
627 * on the target certificate (or <code>null</code>)
628 * @see #setTargetCertConstraints
629 */
630 public CertSelector getTargetCertConstraints() {
631 if (certSelector != null) {
632 return (CertSelector) certSelector.clone();
633 } else {
634 return null;
635 }
636 }
637
638 /**
639 * Sets the required constraints on the target certificate.
640 * The constraints are specified as an instance of
641 * <code>CertSelector</code>. If <code>null</code>, no constraints are
642 * defined.
643 *
644 * <p>Note that the <code>CertSelector</code> specified is cloned
645 * to protect against subsequent modifications.
646 *
647 * @param selector a <code>CertSelector</code> specifying the constraints
648 * on the target certificate (or <code>null</code>)
649 * @see #getTargetCertConstraints
650 */
651 public void setTargetCertConstraints(CertSelector selector) {
652 if (selector != null)
653 certSelector = (CertSelector) selector.clone();
654 else
655 certSelector = null;
656 }
657
658 /**
659 * Makes a copy of this <code>PKIXParameters</code> object. Changes
660 * to the copy will not affect the original and vice versa.
661 *
662 * @return a copy of this <code>PKIXParameters</code> object
663 */
664 public Object clone() {
665 try {
666 Object copy = super.clone();
667 // Must clone these because addCertStore, et al. modify them
668 if (certStores != null) {
669 certStores = new ArrayList<CertStore>(certStores);
670 }
671 if (certPathCheckers != null) {
672 certPathCheckers =
673 new ArrayList<PKIXCertPathChecker>(certPathCheckers);
674 }
675 return copy;
676 } catch (CloneNotSupportedException e) {
677 /* Cannot happen */
678 throw new InternalError(e.toString());
679 }
680 }
681
682 /**
683 * Returns a formatted string describing the parameters.
684 *
685 * @return a formatted string describing the parameters.
686 */
687 public String toString() {
688 StringBuffer sb = new StringBuffer();
689 sb.append("[\n");
690
691 /* start with trusted anchor info */
692 if (unmodTrustAnchors != null) {
693 sb.append(" Trust Anchors: " + unmodTrustAnchors.toString()
694 + "\n");
695 }
696
697 /* now, append initial state information */
698 if (unmodInitialPolicies != null) {
699 if (unmodInitialPolicies.isEmpty()) {
700 sb.append(" Initial Policy OIDs: any\n");
701 } else {
702 sb.append(" Initial Policy OIDs: ["
703 + unmodInitialPolicies.toString() + "]\n");
704 }
705 }
706
707 /* now, append constraints on all certificates in the path */
708 sb.append(" Validity Date: " + String.valueOf(date) + "\n");
709 sb.append(" Signature Provider: " + String.valueOf(sigProvider) + "\n");
710 sb.append(" Default Revocation Enabled: " + revocationEnabled + "\n");
711 sb.append(" Explicit Policy Required: " + explicitPolicyRequired + "\n");
712 sb.append(" Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
713 sb.append(" Any Policy Inhibited: " + anyPolicyInhibited + "\n");
714 sb.append(" Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");
715
716 /* now, append target cert requirements */
717 sb.append(" Target Cert Constraints: " + String.valueOf(certSelector) + "\n");
718
719 /* finally, append miscellaneous parameters */
720 if (certPathCheckers != null)
721 sb.append(" Certification Path Checkers: ["
722 + certPathCheckers.toString() + "]\n");
723 if (certStores != null)
724 sb.append(" CertStores: [" + certStores.toString() + "]\n");
725 sb.append("]");
726 return sb.toString();
727 }
728 }
Save This Page