1 /* 2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.security.InvalidAlgorithmParameterException; 29 import java.security.KeyStore; 30 import java.security.KeyStoreException; 31 import java.util.ArrayList; 32 import java.util.Collections; 33 import java.util.Date; 34 import java.util.Enumeration; 35 import java.util.HashSet; 36 import java.util.Iterator; 37 import java.util.List; 38 import java.util.Set; 39 40 /** 41 * Parameters used as input for the PKIX {@code CertPathValidator} 42 * algorithm. 43 * <p> 44 * A PKIX {@code CertPathValidator} uses these parameters to 45 * validate a {@code CertPath} according to the PKIX certification path 46 * validation algorithm. 47 * 48 * <p>To instantiate a {@code PKIXParameters} object, an 49 * application must specify one or more <i>most-trusted CAs</i> as defined by 50 * the PKIX certification path validation algorithm. The most-trusted CAs 51 * can be specified using one of two constructors. An application 52 * can call {@link #PKIXParameters(Set) PKIXParameters(Set)}, 53 * specifying a {@code Set} of {@code TrustAnchor} objects, each 54 * of which identify a most-trusted CA. Alternatively, an application can call 55 * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a 56 * {@code KeyStore} instance containing trusted certificate entries, each 57 * of which will be considered as a most-trusted CA. 58 * <p> 59 * Once a {@code PKIXParameters} object has been created, other parameters 60 * can be specified (by calling {@link #setInitialPolicies setInitialPolicies} 61 * or {@link #setDate setDate}, for instance) and then the 62 * {@code PKIXParameters} is passed along with the {@code CertPath} 63 * to be validated to {@link CertPathValidator#validate 64 * CertPathValidator.validate}. 65 * <p> 66 * Any parameter that is not set (or is set to {@code null}) will 67 * be set to the default value for that parameter. The default value for the 68 * {@code date} parameter is {@code null}, which indicates 69 * the current time when the path is validated. The default for the 70 * remaining parameters is the least constrained. 71 * <p> 72 * <b>Concurrent Access</b> 73 * <p> 74 * Unless otherwise specified, the methods defined in this class are not 75 * thread-safe. Multiple threads that need to access a single 76 * object concurrently should synchronize amongst themselves and 77 * provide the necessary locking. Multiple threads each manipulating 78 * separate objects need not synchronize. 79 * 80 * @see CertPathValidator 81 * 82 * @since 1.4 83 * @author Sean Mullan 84 * @author Yassir Elley 85 */ 86 public class PKIXParameters implements CertPathParameters { 87 88 private Set<TrustAnchor> unmodTrustAnchors; 89 private Date date; 90 private List<PKIXCertPathChecker> certPathCheckers; 91 private String sigProvider; 92 private boolean revocationEnabled = true; 93 private Set<String> unmodInitialPolicies; 94 private boolean explicitPolicyRequired = false; 95 private boolean policyMappingInhibited = false; 96 private boolean anyPolicyInhibited = false; 97 private boolean policyQualifiersRejected = true; 98 private List<CertStore> certStores; 99 private CertSelector certSelector; 100 101 /** 102 * Creates an instance of {@code PKIXParameters} with the specified 103 * {@code Set} of most-trusted CAs. Each element of the 104 * set is a {@link TrustAnchor TrustAnchor}. 105 * <p> 106 * Note that the {@code Set} is copied to protect against 107 * subsequent modifications. 108 * 109 * @param trustAnchors a {@code Set} of {@code TrustAnchor}s 110 * @throws InvalidAlgorithmParameterException if the specified 111 * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)} 112 * @throws NullPointerException if the specified {@code Set} is 113 * {@code null} 114 * @throws ClassCastException if any of the elements in the {@code Set} 115 * are not of type {@code java.security.cert.TrustAnchor} 116 */ PKIXParameters(Set<TrustAnchor> trustAnchors)117 public PKIXParameters(Set<TrustAnchor> trustAnchors) 118 throws InvalidAlgorithmParameterException 119 { 120 setTrustAnchors(trustAnchors); 121 122 this.unmodInitialPolicies = Collections.<String>emptySet(); 123 this.certPathCheckers = new ArrayList<>(); 124 this.certStores = new ArrayList<>(); 125 } 126 127 /** 128 * Creates an instance of {@code PKIXParameters} that 129 * populates the set of most-trusted CAs from the trusted 130 * certificate entries contained in the specified {@code KeyStore}. 131 * Only keystore entries that contain trusted {@code X509Certificates} 132 * are considered; all other certificate types are ignored. 133 * 134 * @param keystore a {@code KeyStore} from which the set of 135 * most-trusted CAs will be populated 136 * @throws KeyStoreException if the keystore has not been initialized 137 * @throws InvalidAlgorithmParameterException if the keystore does 138 * not contain at least one trusted certificate entry 139 * @throws NullPointerException if the keystore is {@code null} 140 */ PKIXParameters(KeyStore keystore)141 public PKIXParameters(KeyStore keystore) 142 throws KeyStoreException, InvalidAlgorithmParameterException 143 { 144 if (keystore == null) 145 throw new NullPointerException("the keystore parameter must be " + 146 "non-null"); 147 Set<TrustAnchor> hashSet = new HashSet<>(); 148 Enumeration<String> aliases = keystore.aliases(); 149 while (aliases.hasMoreElements()) { 150 String alias = aliases.nextElement(); 151 if (keystore.isCertificateEntry(alias)) { 152 Certificate cert = keystore.getCertificate(alias); 153 if (cert instanceof X509Certificate) 154 hashSet.add(new TrustAnchor((X509Certificate)cert, null)); 155 } 156 } 157 setTrustAnchors(hashSet); 158 this.unmodInitialPolicies = Collections.<String>emptySet(); 159 this.certPathCheckers = new ArrayList<>(); 160 this.certStores = new ArrayList<>(); 161 } 162 163 /** 164 * Returns an immutable {@code Set} of the most-trusted 165 * CAs. 166 * 167 * @return an immutable {@code Set} of {@code TrustAnchor}s 168 * (never {@code null}) 169 * 170 * @see #setTrustAnchors 171 */ getTrustAnchors()172 public Set<TrustAnchor> getTrustAnchors() { 173 return this.unmodTrustAnchors; 174 } 175 176 /** 177 * Sets the {@code Set} of most-trusted CAs. 178 * <p> 179 * Note that the {@code Set} is copied to protect against 180 * subsequent modifications. 181 * 182 * @param trustAnchors a {@code Set} of {@code TrustAnchor}s 183 * @throws InvalidAlgorithmParameterException if the specified 184 * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)} 185 * @throws NullPointerException if the specified {@code Set} is 186 * {@code null} 187 * @throws ClassCastException if any of the elements in the set 188 * are not of type {@code java.security.cert.TrustAnchor} 189 * 190 * @see #getTrustAnchors 191 */ setTrustAnchors(Set<TrustAnchor> trustAnchors)192 public void setTrustAnchors(Set<TrustAnchor> trustAnchors) 193 throws InvalidAlgorithmParameterException 194 { 195 if (trustAnchors == null) { 196 throw new NullPointerException("the trustAnchors parameters must" + 197 " be non-null"); 198 } 199 if (trustAnchors.isEmpty()) { 200 throw new InvalidAlgorithmParameterException("the trustAnchors " + 201 "parameter must be non-empty"); 202 } 203 for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) { 204 if (!(i.next() instanceof TrustAnchor)) { 205 throw new ClassCastException("all elements of set must be " 206 + "of type java.security.cert.TrustAnchor"); 207 } 208 } 209 this.unmodTrustAnchors = Collections.unmodifiableSet 210 (new HashSet<>(trustAnchors)); 211 } 212 213 /** 214 * Returns an immutable {@code Set} of initial 215 * policy identifiers (OID strings), indicating that any one of these 216 * policies would be acceptable to the certificate user for the purposes of 217 * certification path processing. The default return value is an empty 218 * {@code Set}, which is interpreted as meaning that any policy would 219 * be acceptable. 220 * 221 * @return an immutable {@code Set} of initial policy OIDs in 222 * {@code String} format, or an empty {@code Set} (implying any 223 * policy is acceptable). Never returns {@code null}. 224 * 225 * @see #setInitialPolicies 226 */ getInitialPolicies()227 public Set<String> getInitialPolicies() { 228 return this.unmodInitialPolicies; 229 } 230 231 /** 232 * Sets the {@code Set} of initial policy identifiers 233 * (OID strings), indicating that any one of these 234 * policies would be acceptable to the certificate user for the purposes of 235 * certification path processing. By default, any policy is acceptable 236 * (i.e. all policies), so a user that wants to allow any policy as 237 * acceptable does not need to call this method, or can call it 238 * with an empty {@code Set} (or {@code null}). 239 * <p> 240 * Note that the {@code Set} is copied to protect against 241 * subsequent modifications. 242 * 243 * @param initialPolicies a {@code Set} of initial policy 244 * OIDs in {@code String} format (or {@code null}) 245 * @throws ClassCastException if any of the elements in the set are 246 * not of type {@code String} 247 * 248 * @see #getInitialPolicies 249 */ setInitialPolicies(Set<String> initialPolicies)250 public void setInitialPolicies(Set<String> initialPolicies) { 251 if (initialPolicies != null) { 252 for (Iterator<String> i = initialPolicies.iterator(); 253 i.hasNext();) { 254 if (!(i.next() instanceof String)) 255 throw new ClassCastException("all elements of set must be " 256 + "of type java.lang.String"); 257 } 258 this.unmodInitialPolicies = 259 Collections.unmodifiableSet(new HashSet<>(initialPolicies)); 260 } else 261 this.unmodInitialPolicies = Collections.<String>emptySet(); 262 } 263 264 /** 265 * Sets the list of {@code CertStore}s to be used in finding 266 * certificates and CRLs. May be {@code null}, in which case 267 * no {@code CertStore}s will be used. The first 268 * {@code CertStore}s in the list may be preferred to those that 269 * appear later. 270 * <p> 271 * Note that the {@code List} is copied to protect against 272 * subsequent modifications. 273 * 274 * @param stores a {@code List} of {@code CertStore}s (or 275 * {@code null}) 276 * @throws ClassCastException if any of the elements in the list are 277 * not of type {@code java.security.cert.CertStore} 278 * 279 * @see #getCertStores 280 */ setCertStores(List<CertStore> stores)281 public void setCertStores(List<CertStore> stores) { 282 if (stores == null) { 283 this.certStores = new ArrayList<>(); 284 } else { 285 for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) { 286 if (!(i.next() instanceof CertStore)) { 287 throw new ClassCastException("all elements of list must be " 288 + "of type java.security.cert.CertStore"); 289 } 290 } 291 this.certStores = new ArrayList<>(stores); 292 } 293 } 294 295 /** 296 * Adds a {@code CertStore} to the end of the list of 297 * {@code CertStore}s used in finding certificates and CRLs. 298 * 299 * @param store the {@code CertStore} to add. If {@code null}, 300 * the store is ignored (not added to list). 301 */ addCertStore(CertStore store)302 public void addCertStore(CertStore store) { 303 if (store != null) { 304 this.certStores.add(store); 305 } 306 } 307 308 /** 309 * Returns an immutable {@code List} of {@code CertStore}s that 310 * are used to find certificates and CRLs. 311 * 312 * @return an immutable {@code List} of {@code CertStore}s 313 * (may be empty, but never {@code null}) 314 * 315 * @see #setCertStores 316 */ getCertStores()317 public List<CertStore> getCertStores() { 318 return Collections.unmodifiableList 319 (new ArrayList<>(this.certStores)); 320 } 321 322 /** 323 * Sets the RevocationEnabled flag. If this flag is true, the default 324 * revocation checking mechanism of the underlying PKIX service provider 325 * will be used. If this flag is false, the default revocation checking 326 * mechanism will be disabled (not used). 327 * <p> 328 * When a {@code PKIXParameters} object is created, this flag is set 329 * to true. This setting reflects the most common strategy for checking 330 * revocation, since each service provider must support revocation 331 * checking to be PKIX compliant. Sophisticated applications should set 332 * this flag to false when it is not practical to use a PKIX service 333 * provider's default revocation checking mechanism or when an alternative 334 * revocation checking mechanism is to be substituted (by also calling the 335 * {@link #addCertPathChecker addCertPathChecker} or {@link 336 * #setCertPathCheckers setCertPathCheckers} methods). 337 * 338 * @param val the new value of the RevocationEnabled flag 339 */ setRevocationEnabled(boolean val)340 public void setRevocationEnabled(boolean val) { 341 revocationEnabled = val; 342 } 343 344 /** 345 * Checks the RevocationEnabled flag. If this flag is true, the default 346 * revocation checking mechanism of the underlying PKIX service provider 347 * will be used. If this flag is false, the default revocation checking 348 * mechanism will be disabled (not used). See the {@link 349 * #setRevocationEnabled setRevocationEnabled} method for more details on 350 * setting the value of this flag. 351 * 352 * @return the current value of the RevocationEnabled flag 353 */ isRevocationEnabled()354 public boolean isRevocationEnabled() { 355 return revocationEnabled; 356 } 357 358 /** 359 * Sets the ExplicitPolicyRequired flag. If this flag is true, an 360 * acceptable policy needs to be explicitly identified in every certificate. 361 * By default, the ExplicitPolicyRequired flag is false. 362 * 363 * @param val {@code true} if explicit policy is to be required, 364 * {@code false} otherwise 365 */ setExplicitPolicyRequired(boolean val)366 public void setExplicitPolicyRequired(boolean val) { 367 explicitPolicyRequired = val; 368 } 369 370 /** 371 * Checks if explicit policy is required. If this flag is true, an 372 * acceptable policy needs to be explicitly identified in every certificate. 373 * By default, the ExplicitPolicyRequired flag is false. 374 * 375 * @return {@code true} if explicit policy is required, 376 * {@code false} otherwise 377 */ isExplicitPolicyRequired()378 public boolean isExplicitPolicyRequired() { 379 return explicitPolicyRequired; 380 } 381 382 /** 383 * Sets the PolicyMappingInhibited flag. If this flag is true, policy 384 * mapping is inhibited. By default, policy mapping is not inhibited (the 385 * flag is false). 386 * 387 * @param val {@code true} if policy mapping is to be inhibited, 388 * {@code false} otherwise 389 */ setPolicyMappingInhibited(boolean val)390 public void setPolicyMappingInhibited(boolean val) { 391 policyMappingInhibited = val; 392 } 393 394 /** 395 * Checks if policy mapping is inhibited. If this flag is true, policy 396 * mapping is inhibited. By default, policy mapping is not inhibited (the 397 * flag is false). 398 * 399 * @return true if policy mapping is inhibited, false otherwise 400 */ isPolicyMappingInhibited()401 public boolean isPolicyMappingInhibited() { 402 return policyMappingInhibited; 403 } 404 405 /** 406 * Sets state to determine if the any policy OID should be processed 407 * if it is included in a certificate. By default, the any policy OID 408 * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()} 409 * returns {@code false}). 410 * 411 * @param val {@code true} if the any policy OID is to be 412 * inhibited, {@code false} otherwise 413 */ setAnyPolicyInhibited(boolean val)414 public void setAnyPolicyInhibited(boolean val) { 415 anyPolicyInhibited = val; 416 } 417 418 /** 419 * Checks whether the any policy OID should be processed if it 420 * is included in a certificate. 421 * 422 * @return {@code true} if the any policy OID is inhibited, 423 * {@code false} otherwise 424 */ isAnyPolicyInhibited()425 public boolean isAnyPolicyInhibited() { 426 return anyPolicyInhibited; 427 } 428 429 /** 430 * Sets the PolicyQualifiersRejected flag. If this flag is true, 431 * certificates that include policy qualifiers in a certificate 432 * policies extension that is marked critical are rejected. 433 * If the flag is false, certificates are not rejected on this basis. 434 * 435 * <p> When a {@code PKIXParameters} object is created, this flag is 436 * set to true. This setting reflects the most common (and simplest) 437 * strategy for processing policy qualifiers. Applications that want to use 438 * a more sophisticated policy must set this flag to false. 439 * <p> 440 * Note that the PKIX certification path validation algorithm specifies 441 * that any policy qualifier in a certificate policies extension that is 442 * marked critical must be processed and validated. Otherwise the 443 * certification path must be rejected. If the policyQualifiersRejected flag 444 * is set to false, it is up to the application to validate all policy 445 * qualifiers in this manner in order to be PKIX compliant. 446 * 447 * @param qualifiersRejected the new value of the PolicyQualifiersRejected 448 * flag 449 * @see #getPolicyQualifiersRejected 450 * @see PolicyQualifierInfo 451 */ setPolicyQualifiersRejected(boolean qualifiersRejected)452 public void setPolicyQualifiersRejected(boolean qualifiersRejected) { 453 policyQualifiersRejected = qualifiersRejected; 454 } 455 456 /** 457 * Gets the PolicyQualifiersRejected flag. If this flag is true, 458 * certificates that include policy qualifiers in a certificate policies 459 * extension that is marked critical are rejected. 460 * If the flag is false, certificates are not rejected on this basis. 461 * 462 * <p> When a {@code PKIXParameters} object is created, this flag is 463 * set to true. This setting reflects the most common (and simplest) 464 * strategy for processing policy qualifiers. Applications that want to use 465 * a more sophisticated policy must set this flag to false. 466 * 467 * @return the current value of the PolicyQualifiersRejected flag 468 * @see #setPolicyQualifiersRejected 469 */ getPolicyQualifiersRejected()470 public boolean getPolicyQualifiersRejected() { 471 return policyQualifiersRejected; 472 } 473 474 /** 475 * Returns the time for which the validity of the certification path 476 * should be determined. If {@code null}, the current time is used. 477 * <p> 478 * Note that the {@code Date} returned is copied to protect against 479 * subsequent modifications. 480 * 481 * @return the {@code Date}, or {@code null} if not set 482 * @see #setDate 483 */ getDate()484 public Date getDate() { 485 if (date == null) 486 return null; 487 else 488 return (Date) this.date.clone(); 489 } 490 491 /** 492 * Sets the time for which the validity of the certification path 493 * should be determined. If {@code null}, the current time is used. 494 * <p> 495 * Note that the {@code Date} supplied here is copied to protect 496 * against subsequent modifications. 497 * 498 * @param date the {@code Date}, or {@code null} for the 499 * current time 500 * @see #getDate 501 */ setDate(Date date)502 public void setDate(Date date) { 503 if (date != null) 504 this.date = (Date) date.clone(); 505 else 506 date = null; 507 } 508 509 /** 510 * Sets a {@code List} of additional certification path checkers. If 511 * the specified {@code List} contains an object that is not a 512 * {@code PKIXCertPathChecker}, it is ignored. 513 * <p> 514 * Each {@code PKIXCertPathChecker} specified implements 515 * additional checks on a certificate. Typically, these are checks to 516 * process and verify private extensions contained in certificates. 517 * Each {@code PKIXCertPathChecker} should be instantiated with any 518 * initialization parameters needed to execute the check. 519 * <p> 520 * This method allows sophisticated applications to extend a PKIX 521 * {@code CertPathValidator} or {@code CertPathBuilder}. 522 * Each of the specified {@code PKIXCertPathChecker}s will be called, 523 * in turn, by a PKIX {@code CertPathValidator} or 524 * {@code CertPathBuilder} for each certificate processed or 525 * validated. 526 * <p> 527 * Regardless of whether these additional {@code PKIXCertPathChecker}s 528 * are set, a PKIX {@code CertPathValidator} or 529 * {@code CertPathBuilder} must perform all of the required PKIX 530 * checks on each certificate. The one exception to this rule is if the 531 * RevocationEnabled flag is set to false (see the {@link 532 * #setRevocationEnabled setRevocationEnabled} method). 533 * <p> 534 * Note that the {@code List} supplied here is copied and each 535 * {@code PKIXCertPathChecker} in the list is cloned to protect 536 * against subsequent modifications. 537 * 538 * @param checkers a {@code List} of {@code PKIXCertPathChecker}s. 539 * May be {@code null}, in which case no additional checkers will be 540 * used. 541 * @throws ClassCastException if any of the elements in the list 542 * are not of type {@code java.security.cert.PKIXCertPathChecker} 543 * @see #getCertPathCheckers 544 */ setCertPathCheckers(List<PKIXCertPathChecker> checkers)545 public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) { 546 if (checkers != null) { 547 List<PKIXCertPathChecker> tmpList = new ArrayList<>(); 548 for (PKIXCertPathChecker checker : checkers) { 549 tmpList.add((PKIXCertPathChecker)checker.clone()); 550 } 551 this.certPathCheckers = tmpList; 552 } else { 553 this.certPathCheckers = new ArrayList<>(); 554 } 555 } 556 557 /** 558 * Returns the {@code List} of certification path checkers. 559 * The returned {@code List} is immutable, and each 560 * {@code PKIXCertPathChecker} in the {@code List} is cloned 561 * to protect against subsequent modifications. 562 * 563 * @return an immutable {@code List} of 564 * {@code PKIXCertPathChecker}s (may be empty, but not 565 * {@code null}) 566 * @see #setCertPathCheckers 567 */ getCertPathCheckers()568 public List<PKIXCertPathChecker> getCertPathCheckers() { 569 List<PKIXCertPathChecker> tmpList = new ArrayList<>(); 570 for (PKIXCertPathChecker ck : certPathCheckers) { 571 tmpList.add((PKIXCertPathChecker)ck.clone()); 572 } 573 return Collections.unmodifiableList(tmpList); 574 } 575 576 /** 577 * Adds a {@code PKIXCertPathChecker} to the list of certification 578 * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers} 579 * method for more details. 580 * <p> 581 * Note that the {@code PKIXCertPathChecker} is cloned to protect 582 * against subsequent modifications. 583 * 584 * @param checker a {@code PKIXCertPathChecker} to add to the list of 585 * checks. If {@code null}, the checker is ignored (not added to list). 586 */ addCertPathChecker(PKIXCertPathChecker checker)587 public void addCertPathChecker(PKIXCertPathChecker checker) { 588 if (checker != null) { 589 certPathCheckers.add((PKIXCertPathChecker)checker.clone()); 590 } 591 } 592 593 /** 594 * Returns the signature provider's name, or {@code null} 595 * if not set. 596 * 597 * @return the signature provider's name (or {@code null}) 598 * @see #setSigProvider 599 */ getSigProvider()600 public String getSigProvider() { 601 return this.sigProvider; 602 } 603 604 /** 605 * Sets the signature provider's name. The specified provider will be 606 * preferred when creating {@link java.security.Signature Signature} 607 * objects. If {@code null} or not set, the first provider found 608 * supporting the algorithm will be used. 609 * 610 * @param sigProvider the signature provider's name (or {@code null}) 611 * @see #getSigProvider 612 */ setSigProvider(String sigProvider)613 public void setSigProvider(String sigProvider) { 614 this.sigProvider = sigProvider; 615 } 616 617 /** 618 * Returns the required constraints on the target certificate. 619 * The constraints are returned as an instance of {@code CertSelector}. 620 * If {@code null}, no constraints are defined. 621 * 622 * <p>Note that the {@code CertSelector} returned is cloned 623 * to protect against subsequent modifications. 624 * 625 * @return a {@code CertSelector} specifying the constraints 626 * on the target certificate (or {@code null}) 627 * @see #setTargetCertConstraints 628 */ getTargetCertConstraints()629 public CertSelector getTargetCertConstraints() { 630 if (certSelector != null) { 631 return (CertSelector) certSelector.clone(); 632 } else { 633 return null; 634 } 635 } 636 637 /** 638 * Sets the required constraints on the target certificate. 639 * The constraints are specified as an instance of 640 * {@code CertSelector}. If {@code null}, no constraints are 641 * defined. 642 * 643 * <p>Note that the {@code CertSelector} specified is cloned 644 * to protect against subsequent modifications. 645 * 646 * @param selector a {@code CertSelector} specifying the constraints 647 * on the target certificate (or {@code null}) 648 * @see #getTargetCertConstraints 649 */ setTargetCertConstraints(CertSelector selector)650 public void setTargetCertConstraints(CertSelector selector) { 651 if (selector != null) 652 certSelector = (CertSelector) selector.clone(); 653 else 654 certSelector = null; 655 } 656 657 /** 658 * Makes a copy of this {@code PKIXParameters} object. Changes 659 * to the copy will not affect the original and vice versa. 660 * 661 * @return a copy of this {@code PKIXParameters} object 662 */ clone()663 public Object clone() { 664 try { 665 PKIXParameters copy = (PKIXParameters)super.clone(); 666 667 // must clone these because addCertStore, et al. modify them 668 if (certStores != null) { 669 copy.certStores = new ArrayList<>(certStores); 670 } 671 if (certPathCheckers != null) { 672 copy.certPathCheckers = 673 new ArrayList<>(certPathCheckers.size()); 674 for (PKIXCertPathChecker checker : certPathCheckers) { 675 copy.certPathCheckers.add( 676 (PKIXCertPathChecker)checker.clone()); 677 } 678 } 679 680 // other class fields are immutable to public, don't bother 681 // to clone the read-only fields. 682 return copy; 683 } catch (CloneNotSupportedException e) { 684 /* Cannot happen */ 685 throw new InternalError(e.toString(), e); 686 } 687 } 688 689 /** 690 * Returns a formatted string describing the parameters. 691 * 692 * @return a formatted string describing the parameters. 693 */ toString()694 public String toString() { 695 StringBuilder sb = new StringBuilder(); 696 sb.append("[\n"); 697 698 /* start with trusted anchor info */ 699 if (unmodTrustAnchors != null) { 700 sb.append(" Trust Anchors: " + unmodTrustAnchors.toString() 701 + "\n"); 702 } 703 704 /* now, append initial state information */ 705 if (unmodInitialPolicies != null) { 706 if (unmodInitialPolicies.isEmpty()) { 707 sb.append(" Initial Policy OIDs: any\n"); 708 } else { 709 sb.append(" Initial Policy OIDs: [" 710 + unmodInitialPolicies.toString() + "]\n"); 711 } 712 } 713 714 /* now, append constraints on all certificates in the path */ 715 sb.append(" Validity Date: " + String.valueOf(date) + "\n"); 716 sb.append(" Signature Provider: " + String.valueOf(sigProvider) + "\n"); 717 sb.append(" Default Revocation Enabled: " + revocationEnabled + "\n"); 718 sb.append(" Explicit Policy Required: " + explicitPolicyRequired + "\n"); 719 sb.append(" Policy Mapping Inhibited: " + policyMappingInhibited + "\n"); 720 sb.append(" Any Policy Inhibited: " + anyPolicyInhibited + "\n"); 721 sb.append(" Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n"); 722 723 /* now, append target cert requirements */ 724 sb.append(" Target Cert Constraints: " + String.valueOf(certSelector) + "\n"); 725 726 /* finally, append miscellaneous parameters */ 727 if (certPathCheckers != null) 728 sb.append(" Certification Path Checkers: [" 729 + certPathCheckers.toString() + "]\n"); 730 if (certStores != null) 731 sb.append(" CertStores: [" + certStores.toString() + "]\n"); 732 sb.append("]"); 733 return sb.toString(); 734 } 735 } 736