001/* PKIXParameters.java -- parameters for the PKIX cert path algorithm 002 Copyright (C) 2003 Free Software Foundation, Inc. 003 004This file is part of GNU Classpath. 005 006GNU Classpath is free software; you can redistribute it and/or modify 007it under the terms of the GNU General Public License as published by 008the Free Software Foundation; either version 2, or (at your option) 009any later version. 010 011GNU Classpath is distributed in the hope that it will be useful, but 012WITHOUT ANY WARRANTY; without even the implied warranty of 013MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 014General Public License for more details. 015 016You should have received a copy of the GNU General Public License 017along with GNU Classpath; see the file COPYING. If not, write to the 018Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 01902110-1301 USA. 020 021Linking this library statically or dynamically with other modules is 022making a combined work based on this library. Thus, the terms and 023conditions of the GNU General Public License cover the whole 024combination. 025 026As a special exception, the copyright holders of this library give you 027permission to link this library with independent modules to produce an 028executable, regardless of the license terms of these independent 029modules, and to copy and distribute the resulting executable under 030terms of your choice, provided that you also meet, for each linked 031independent module, the terms and conditions of the license of that 032module. An independent module is a module which is not derived from 033or based on this library. If you modify this library, you may extend 034this exception to your version of the library, but you are not 035obligated to do so. If you do not wish to do so, delete this 036exception statement from your version. */ 037 038 039package java.security.cert; 040 041import java.security.InvalidAlgorithmParameterException; 042import java.security.KeyStore; 043import java.security.KeyStoreException; 044 045import java.util.Collections; 046import java.util.Date; 047import java.util.Enumeration; 048import java.util.HashSet; 049import java.util.Iterator; 050import java.util.LinkedList; 051import java.util.List; 052import java.util.Set; 053 054/** 055 * Parameters for verifying certificate paths using the PKIX 056 * (Public-Key Infrastructure (X.509)) algorithm. 057 * 058 * @see CertPathBuilder 059 * @since 1.4 060 */ 061public class PKIXParameters implements CertPathParameters 062{ 063 064 // Fields. 065 // ------------------------------------------------------------------------ 066 067 /** The trusted certificates. */ 068 private final Set trustAnchors; 069 070 /** The set of initial policy identifiers. */ 071 private final Set initPolicies; 072 073 /** The list of certificate stores. */ 074 private final List certStores; 075 076 /** The list of path checkers. */ 077 private final List pathCheckers; 078 079 /** The revocation enabled flag. */ 080 private boolean revocationEnabled; 081 082 /** The explicit policy required flag. */ 083 private boolean exPolicyRequired; 084 085 /** The policy mapping inhibited flag. */ 086 private boolean policyMappingInhibited; 087 088 /** The any policy inhibited flag. */ 089 private boolean anyPolicyInhibited; 090 091 /** The policy qualifiers rejected flag. */ 092 private boolean policyQualRejected; 093 094 /** The target validation date. */ 095 private Date date; 096 097 /** The signature algorithm provider. */ 098 private String sigProvider; 099 100 /** The target constraints. */ 101 private CertSelector targetConstraints; 102 103 // Constructors. 104 // ------------------------------------------------------------------------ 105 106 /** 107 * Create a new PKIXParameters object, populating the trusted 108 * certificates set with all certificates found in the given key 109 * store. All certificates found in the key store are assumed to be 110 * trusted by this constructor. 111 * 112 * @param keystore The key store. 113 * @throws KeyStoreException If the certificates cannot be retrieved 114 * from the key store. 115 * @throws InvalidAlgorithmParameterException If there are no 116 * certificates in the key store. 117 * @throws NullPointerException If <i>keystore</i> is null. 118 */ 119 public PKIXParameters(KeyStore keystore) 120 throws KeyStoreException, InvalidAlgorithmParameterException 121 { 122 this(); 123 for (Enumeration e = keystore.aliases(); e.hasMoreElements(); ) 124 { 125 String alias = (String) e.nextElement(); 126 if (!keystore.isCertificateEntry(alias)) 127 continue; 128 Certificate cert = keystore.getCertificate(alias); 129 if (cert instanceof X509Certificate) 130 trustAnchors.add(new TrustAnchor((X509Certificate) cert, null)); 131 } 132 if (trustAnchors.isEmpty()) 133 throw new InvalidAlgorithmParameterException("no certs in the key store"); 134 } 135 136 /** 137 * Create a new PKIXParameters object, populating the trusted 138 * certificates set with the elements of the given set, each of which 139 * must be a {@link TrustAnchor}. 140 * 141 * @param trustAnchors The set of trust anchors. 142 * @throws InvalidAlgorithmParameterException If there are no 143 * certificates in the set. 144 * @throws NullPointerException If <i>trustAnchors</i> is null. 145 * @throws ClassCastException If every element in <i>trustAnchors</i> 146 * is not a {@link TrustAnchor}. 147 */ 148 public PKIXParameters(Set<TrustAnchor> trustAnchors) 149 throws InvalidAlgorithmParameterException 150 { 151 this(); 152 setTrustAnchors(trustAnchors); 153 } 154 155 /** 156 * Default constructor. 157 */ 158 private PKIXParameters() 159 { 160 trustAnchors = new HashSet(); 161 initPolicies = new HashSet(); 162 certStores = new LinkedList(); 163 pathCheckers = new LinkedList(); 164 revocationEnabled = true; 165 exPolicyRequired = false; 166 policyMappingInhibited = false; 167 anyPolicyInhibited = false; 168 policyQualRejected = true; 169 } 170 171 /** 172 * Copying constructor for cloning. 173 * 174 * @param that The instance being cloned. 175 */ 176 private PKIXParameters(PKIXParameters that) 177 { 178 this(); 179 this.trustAnchors.addAll(that.trustAnchors); 180 this.initPolicies.addAll(that.initPolicies); 181 this.certStores.addAll(that.certStores); 182 this.pathCheckers.addAll(that.pathCheckers); 183 this.revocationEnabled = that.revocationEnabled; 184 this.exPolicyRequired = that.exPolicyRequired; 185 this.policyMappingInhibited = that.policyMappingInhibited; 186 this.anyPolicyInhibited = that.anyPolicyInhibited; 187 this.policyQualRejected = that.policyQualRejected; 188 this.date = that.date; 189 this.sigProvider = that.sigProvider; 190 this.targetConstraints = that.targetConstraints != null 191 ? (CertSelector) that.targetConstraints.clone() : null; 192 } 193 194 // Instance methods. 195 // ------------------------------------------------------------------------ 196 197 /** 198 * Returns an immutable set of trust anchors. The set returned will 199 * never be null and will never be empty. 200 * 201 * @return A (never null, never empty) immutable set of trust anchors. 202 */ 203 public Set<TrustAnchor> getTrustAnchors() 204 { 205 return Collections.unmodifiableSet(trustAnchors); 206 } 207 208 /** 209 * Sets the trust anchors of this class, replacing the current trust 210 * anchors with those in the given set. The supplied set is copied to 211 * prevent modification. 212 * 213 * @param trustAnchors The new set of trust anchors. 214 * @throws InvalidAlgorithmParameterException If there are no 215 * certificates in the set. 216 * @throws NullPointerException If <i>trustAnchors</i> is null. 217 * @throws ClassCastException If every element in <i>trustAnchors</i> 218 * is not a {@link TrustAnchor}. 219 */ 220 public void setTrustAnchors(Set<TrustAnchor> trustAnchors) 221 throws InvalidAlgorithmParameterException 222 { 223 if (trustAnchors.isEmpty()) 224 throw new InvalidAlgorithmParameterException("no trust anchors"); 225 this.trustAnchors.clear(); 226 for (Iterator i = trustAnchors.iterator(); i.hasNext(); ) 227 { 228 this.trustAnchors.add((TrustAnchor) i.next()); 229 } 230 } 231 232 /** 233 * Returns the set of initial policy identifiers (as OID strings). If 234 * any policy is accepted, this method returns the empty set. 235 * 236 * @return An immutable set of initial policy OID strings, or the 237 * empty set if any policy is acceptable. 238 */ 239 public Set<String> getInitialPolicies() 240 { 241 return Collections.unmodifiableSet(initPolicies); 242 } 243 244 /** 245 * Sets the initial policy identifiers (as OID strings). If the 246 * argument is null or the empty set, then any policy identifier will 247 * be accepted. 248 * 249 * @param initPolicies The new set of policy strings, or null. 250 * @throws ClassCastException If any element in <i>initPolicies</i> is 251 * not a string. 252 */ 253 public void setInitialPolicies(Set<String> initPolicies) 254 { 255 this.initPolicies.clear(); 256 if (initPolicies == null) 257 return; 258 for (Iterator i = initPolicies.iterator(); i.hasNext(); ) 259 { 260 this.initPolicies.add((String) i.next()); 261 } 262 } 263 264 /** 265 * Add a {@link CertStore} to the list of cert stores. 266 * 267 * @param store The CertStore to add. 268 */ 269 public void addCertStore(CertStore store) 270 { 271 if (store != null) 272 certStores.add(store); 273 } 274 275 /** 276 * Returns an immutable list of cert stores. This method never returns 277 * null. 278 * 279 * @return The list of cert stores. 280 */ 281 public List<CertStore> getCertStores() 282 { 283 return Collections.unmodifiableList(certStores); 284 } 285 286 /** 287 * Set the cert stores. If the argument is null the list of cert 288 * stores will be empty. 289 * 290 * @param certStores The cert stores. 291 */ 292 public void setCertStores(List<CertStore> certStores) 293 { 294 this.certStores.clear(); 295 if (certStores == null) 296 return; 297 for (Iterator i = certStores.iterator(); i.hasNext(); ) 298 { 299 this.certStores.add((CertStore) i.next()); 300 } 301 } 302 303 /** 304 * Returns the value of the <i>revocation enabled</i> flag. The default 305 * value for this flag is <code>true</code>. 306 * 307 * @return The <i>revocation enabled</i> flag. 308 */ 309 public boolean isRevocationEnabled() 310 { 311 return revocationEnabled; 312 } 313 314 /** 315 * Sets the value of the <i>revocation enabled</i> flag. 316 * 317 * @param value The new value. 318 */ 319 public void setRevocationEnabled(boolean value) 320 { 321 revocationEnabled = value; 322 } 323 324 /** 325 * Returns the value of the <i>explicit policy required</i> flag. The 326 * default value of this flag is <code>false</code>. 327 * 328 * @return The <i>explicit policy required</i> flag. 329 */ 330 public boolean isExplicitPolicyRequired() 331 { 332 return exPolicyRequired; 333 } 334 335 /** 336 * Sets the value of the <i>explicit policy required</i> flag. 337 * 338 * @param value The new value. 339 */ 340 public void setExplicitPolicyRequired(boolean value) 341 { 342 exPolicyRequired = value; 343 } 344 345 /** 346 * Returns the value of the <i>policy mapping inhibited</i> flag. The 347 * default value of this flag is <code>false</code>. 348 * 349 * @return The <i>policy mapping inhibited</i> flag. 350 */ 351 public boolean isPolicyMappingInhibited() 352 { 353 return policyMappingInhibited; 354 } 355 356 /** 357 * Sets the value of the <i>policy mapping inhibited</i> flag. 358 * 359 * @param value The new value. 360 */ 361 public void setPolicyMappingInhibited(boolean value) 362 { 363 policyMappingInhibited = value; 364 } 365 366 /** 367 * Returns the value of the <i>any policy inhibited</i> flag. The 368 * default value of this flag is <code>false</code>. 369 * 370 * @return The <i>any policy inhibited</i> flag. 371 */ 372 public boolean isAnyPolicyInhibited() 373 { 374 return anyPolicyInhibited; 375 } 376 377 /** 378 * Sets the value of the <i>any policy inhibited</i> flag. 379 * 380 * @param value The new value. 381 */ 382 public void setAnyPolicyInhibited(boolean value) 383 { 384 anyPolicyInhibited = value; 385 } 386 387 /** 388 * Returns the value of the <i>policy qualifiers enabled</i> flag. The 389 * default value of this flag is <code>true</code>. 390 * 391 * @return The <i>policy qualifiers enabled</i> flag. 392 */ 393 public boolean getPolicyQualifiersRejected() 394 { 395 return policyQualRejected; 396 } 397 398 /** 399 * Sets the value of the <i>policy qualifiers enabled</i> flag. 400 * 401 * @param value The new value. 402 */ 403 public void setPolicyQualifiersRejected(boolean value) 404 { 405 policyQualRejected = value; 406 } 407 408 /** 409 * Returns the date for which the certificate path should be 410 * validated, or null if the current time should be used. The date 411 * object is copied to prevent subsequent modification. 412 * 413 * @return The date, or null if not set. 414 */ 415 public Date getDate() 416 { 417 return date != null ? (Date) date.clone() : null; 418 } 419 420 /** 421 * Sets the date for which the certificate path should be validated, 422 * or null if the current time should be used. 423 * 424 * @param date The new date, or null. 425 */ 426 public void setDate(Date date) 427 { 428 if (date != null) 429 this.date = (Date) date.clone(); 430 else 431 this.date = null; 432 } 433 434 /** 435 * Add a certificate path checker. 436 * 437 * @param checker The certificate path checker to add. 438 */ 439 public void addCertPathChecker(PKIXCertPathChecker checker) 440 { 441 if (checker != null) 442 pathCheckers.add(checker); 443 } 444 445 /** 446 * Returns an immutable list of all certificate path checkers. 447 * 448 * @return An immutable list of all certificate path checkers. 449 */ 450 public List<PKIXCertPathChecker> getCertPathCheckers() 451 { 452 return Collections.unmodifiableList(pathCheckers); 453 } 454 455 /** 456 * Sets the certificate path checkers. If the argument is null, the 457 * list of checkers will merely be cleared. 458 * 459 * @param pathCheckers The new list of certificate path checkers. 460 * @throws ClassCastException If any element of <i>pathCheckers</i> is 461 * not a {@link PKIXCertPathChecker}. 462 */ 463 public void setCertPathCheckers(List<PKIXCertPathChecker> pathCheckers) 464 { 465 this.pathCheckers.clear(); 466 if (pathCheckers == null) 467 return; 468 for (Iterator i = pathCheckers.iterator(); i.hasNext(); ) 469 { 470 this.pathCheckers.add((PKIXCertPathChecker) i.next()); 471 } 472 } 473 474 /** 475 * Returns the signature algorithm provider, or null if not set. 476 * 477 * @return The signature algorithm provider, or null if not set. 478 */ 479 public String getSigProvider() 480 { 481 return sigProvider; 482 } 483 484 /** 485 * Sets the signature algorithm provider, or null if there is no 486 * preferred provider. 487 * 488 * @param sigProvider The signature provider name. 489 */ 490 public void setSigProvider(String sigProvider) 491 { 492 this.sigProvider = sigProvider; 493 } 494 495 /** 496 * Returns the constraints placed on the target certificate, or null 497 * if there are none. The target constraints are copied to prevent 498 * subsequent modification. 499 * 500 * @return The target constraints, or null. 501 */ 502 public CertSelector getTargetCertConstraints() 503 { 504 return targetConstraints != null 505 ? (CertSelector) targetConstraints.clone() : null; 506 } 507 508 /** 509 * Sets the constraints placed on the target certificate. 510 * 511 * @param targetConstraints The target constraints. 512 */ 513 public void setTargetCertConstraints(CertSelector targetConstraints) 514 { 515 this.targetConstraints = targetConstraints != null 516 ? (CertSelector) targetConstraints.clone() : null; 517 } 518 519 /** 520 * Returns a copy of these parameters. 521 * 522 * @return The copy. 523 */ 524 public Object clone() 525 { 526 return new PKIXParameters(this); 527 } 528 529 /** 530 * Returns a printable representation of these parameters. 531 * 532 * @return A printable representation of these parameters. 533 */ 534 public String toString() { 535 return "[ Trust Anchors: " + trustAnchors + "; Initial Policy OIDs=" 536 + (initPolicies != null ? initPolicies.toString() : "any") 537 + "; Validity Date=" + date + "; Signature Provider=" 538 + sigProvider + "; Default Revocation Enabled=" + revocationEnabled 539 + "; Explicit Policy Required=" + exPolicyRequired 540 + "; Policy Mapping Inhibited=" + policyMappingInhibited 541 + "; Any Policy Inhibited=" + anyPolicyInhibited 542 + "; Policy Qualifiers Rejected=" + policyQualRejected 543 + "; Target Cert Contstraints=" + targetConstraints 544 + "; Certification Path Checkers=" + pathCheckers 545 + "; CertStores=" + certStores + " ]"; 546 } 547}