1 package org.bouncycastle.jcajce;
2 
3 import java.security.cert.CertPathParameters;
4 import java.security.cert.CertSelector;
5 import java.security.cert.CertStore;
6 import java.security.cert.PKIXParameters;
7 import java.security.cert.TrustAnchor;
8 import java.util.ArrayList;
9 import java.util.Collections;
10 import java.util.Date;
11 import java.util.HashMap;
12 import java.util.List;
13 import java.util.Map;
14 import java.util.Set;
15 
16 import org.bouncycastle.asn1.x509.GeneralName;
17 
18 /**
19  * This class extends the PKIXParameters with a validity model parameter.
20  */
21 public class PKIXExtendedParameters
22     implements CertPathParameters
23 {
24     /**
25      * This is the default PKIX validity model. Actually there are two variants
26      * of this: The PKIX model and the modified PKIX model. The PKIX model
27      * verifies that all involved certificates must have been valid at the
28      * current time. The modified PKIX model verifies that all involved
29      * certificates were valid at the signing time. Both are indirectly choosen
30      * with the {@link java.security.cert.PKIXParameters#setDate(java.util.Date)} method, so this
31      * methods sets the Date when <em>all</em> certificates must have been
32      * valid.
33      */
34     public static final int PKIX_VALIDITY_MODEL = 0;
35 
36     /**
37      * This model uses the following validity model. Each certificate must have
38      * been valid at the moment where is was used. That means the end
39      * certificate must have been valid at the time the signature was done. The
40      * CA certificate which signed the end certificate must have been valid,
41      * when the end certificate was signed. The CA (or Root CA) certificate must
42      * have been valid, when the CA certificate was signed and so on. So the
43      * {@link java.security.cert.PKIXParameters#setDate(java.util.Date)} method sets the time, when
44      * the <em>end certificate</em> must have been valid.
45      * <p>
46      * It is used e.g.
47      * in the German signature law.
48      * </p>
49      */
50     public static final int CHAIN_VALIDITY_MODEL = 1;
51 
52     public static class Builder
53     {
54         private final PKIXParameters baseParameters;
55         private final Date date;
56 
57         private PKIXCertStoreSelector targetConstraints;
58         private List<PKIXCertStore> extraCertStores = new ArrayList<PKIXCertStore>();
59         private Map<GeneralName, PKIXCertStore> namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>();
60         private List<PKIXCRLStore> extraCRLStores = new ArrayList<PKIXCRLStore>();
61         private Map<GeneralName, PKIXCRLStore> namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>();
62         private boolean revocationEnabled;
63         private int validityModel = PKIX_VALIDITY_MODEL;
64         private boolean useDeltas = false;
65         private Set<TrustAnchor> trustAnchors;
66 
Builder(PKIXParameters baseParameters)67         public Builder(PKIXParameters baseParameters)
68         {
69             this.baseParameters = (PKIXParameters)baseParameters.clone();
70             CertSelector constraints = baseParameters.getTargetCertConstraints();
71             if (constraints != null)
72             {
73                 this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build();
74             }
75             Date checkDate = baseParameters.getDate();
76             this.date = (checkDate == null) ? new Date() : checkDate;
77             this.revocationEnabled = baseParameters.isRevocationEnabled();
78             this.trustAnchors = baseParameters.getTrustAnchors();
79         }
80 
Builder(PKIXExtendedParameters baseParameters)81         public Builder(PKIXExtendedParameters baseParameters)
82         {
83             this.baseParameters = baseParameters.baseParameters;
84             this.date = baseParameters.date;
85             this.targetConstraints = baseParameters.targetConstraints;
86             this.extraCertStores = new ArrayList<PKIXCertStore>(baseParameters.extraCertStores);
87             this.namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(baseParameters.namedCertificateStoreMap);
88             this.extraCRLStores = new ArrayList<PKIXCRLStore>(baseParameters.extraCRLStores);
89             this.namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(baseParameters.namedCRLStoreMap);
90             this.useDeltas = baseParameters.useDeltas;
91             this.validityModel = baseParameters.validityModel;
92             this.revocationEnabled = baseParameters.isRevocationEnabled();
93             this.trustAnchors = baseParameters.getTrustAnchors();
94         }
95 
addCertificateStore(PKIXCertStore store)96         public Builder addCertificateStore(PKIXCertStore store)
97         {
98             extraCertStores.add(store);
99 
100             return this;
101         }
102 
addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store)103         public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store)
104         {
105             namedCertificateStoreMap.put(issuerAltName, store);
106 
107             return this;
108         }
109 
addCRLStore(PKIXCRLStore store)110         public Builder addCRLStore(PKIXCRLStore store)
111         {
112             extraCRLStores.add(store);
113 
114             return this;
115         }
116 
addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store)117         public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store)
118         {
119             namedCRLStoreMap.put(issuerAltName, store);
120 
121             return this;
122         }
123 
setTargetConstraints(PKIXCertStoreSelector selector)124         public Builder setTargetConstraints(PKIXCertStoreSelector selector)
125         {
126             targetConstraints = selector;
127 
128             return this;
129         }
130 
131         /**
132          * Sets if delta CRLs should be used for checking the revocation status.
133          *
134          * @param useDeltas <code>true</code> if delta CRLs should be used.
135          */
setUseDeltasEnabled(boolean useDeltas)136         public Builder setUseDeltasEnabled(boolean useDeltas)
137         {
138             this.useDeltas = useDeltas;
139 
140             return this;
141         }
142 
143         /**
144          * @param validityModel The validity model to set.
145          * @see #CHAIN_VALIDITY_MODEL
146          * @see #PKIX_VALIDITY_MODEL
147          */
setValidityModel(int validityModel)148         public Builder setValidityModel(int validityModel)
149         {
150             this.validityModel = validityModel;
151 
152             return this;
153         }
154 
155         /**
156          * Set the trustAnchor to be used with these parameters.
157          *
158          * @param trustAnchor the trust anchor end-entity and CRLs must be based on.
159          * @return the current builder.
160          */
setTrustAnchor(TrustAnchor trustAnchor)161         public Builder setTrustAnchor(TrustAnchor trustAnchor)
162         {
163             this.trustAnchors = Collections.singleton(trustAnchor);
164 
165             return this;
166         }
167 
168         /**
169          * Set the set of trustAnchors to be used with these parameters.
170          *
171          * @param trustAnchors  a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on.
172          * @return the current builder.
173          */
setTrustAnchors(Set<TrustAnchor> trustAnchors)174         public Builder setTrustAnchors(Set<TrustAnchor> trustAnchors)
175         {
176             this.trustAnchors = trustAnchors;
177 
178             return this;
179         }
180 
181         /**
182          * Flag whether or not revocation checking is to be enabled.
183          *
184          * @param revocationEnabled  true if revocation checking to be enabled, false otherwise.
185          */
setRevocationEnabled(boolean revocationEnabled)186         public void setRevocationEnabled(boolean revocationEnabled)
187         {
188             this.revocationEnabled = revocationEnabled;
189         }
190 
build()191         public PKIXExtendedParameters build()
192         {
193             return new PKIXExtendedParameters(this);
194         }
195     }
196 
197     private final PKIXParameters baseParameters;
198     private final PKIXCertStoreSelector targetConstraints;
199     private final Date date;
200     private final List<PKIXCertStore> extraCertStores;
201     private final Map<GeneralName, PKIXCertStore> namedCertificateStoreMap;
202     private final List<PKIXCRLStore> extraCRLStores;
203     private final Map<GeneralName, PKIXCRLStore> namedCRLStoreMap;
204     private final boolean revocationEnabled;
205     private final boolean useDeltas;
206     private final int validityModel;
207     private final Set<TrustAnchor> trustAnchors;
208 
PKIXExtendedParameters(Builder builder)209     private PKIXExtendedParameters(Builder builder)
210     {
211         this.baseParameters = builder.baseParameters;
212         this.date = builder.date;
213         this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores);
214         this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCertStore>(builder.namedCertificateStoreMap));
215         this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores);
216         this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCRLStore>(builder.namedCRLStoreMap));
217         this.targetConstraints = builder.targetConstraints;
218         this.revocationEnabled = builder.revocationEnabled;
219         this.useDeltas = builder.useDeltas;
220         this.validityModel = builder.validityModel;
221         this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors);
222     }
223 
getCertificateStores()224     public List<PKIXCertStore> getCertificateStores()
225     {
226         return extraCertStores;
227     }
228 
229 
getNamedCertificateStoreMap()230     public Map<GeneralName, PKIXCertStore> getNamedCertificateStoreMap()
231     {
232         return namedCertificateStoreMap;
233     }
234 
getCRLStores()235     public List<PKIXCRLStore> getCRLStores()
236     {
237         return extraCRLStores;
238     }
239 
getNamedCRLStoreMap()240     public Map<GeneralName, PKIXCRLStore> getNamedCRLStoreMap()
241     {
242         return namedCRLStoreMap;
243     }
244 
getDate()245     public Date getDate()
246     {
247         return new Date(date.getTime());
248     }
249 
250 
251 
252 
253     /**
254      * Defaults to <code>false</code>.
255      *
256      * @return Returns if delta CRLs should be used.
257      */
isUseDeltasEnabled()258     public boolean isUseDeltasEnabled()
259     {
260         return useDeltas;
261     }
262 
263 
264 
265     /**
266      * @return Returns the validity model.
267      * @see #CHAIN_VALIDITY_MODEL
268      * @see #PKIX_VALIDITY_MODEL
269      */
getValidityModel()270     public int getValidityModel()
271     {
272         return validityModel;
273     }
274 
clone()275     public Object clone()
276     {
277         return this;
278     }
279 
280     /**
281      * Returns the required constraints on the target certificate.
282      * The constraints are returned as an instance of
283      * <code>Selector</code>. If <code>null</code>, no constraints are
284      * defined.
285      *
286      * @return a <code>Selector</code> specifying the constraints on the
287      *         target certificate or attribute certificate (or <code>null</code>)
288      * @see PKIXCertStoreSelector
289      */
getTargetConstraints()290     public PKIXCertStoreSelector getTargetConstraints()
291     {
292         return targetConstraints;
293     }
294 
getTrustAnchors()295     public Set getTrustAnchors()
296     {
297         return trustAnchors;
298     }
299 
getInitialPolicies()300     public Set getInitialPolicies()
301     {
302         return baseParameters.getInitialPolicies();
303     }
304 
getSigProvider()305     public String getSigProvider()
306     {
307         return baseParameters.getSigProvider();
308     }
309 
isExplicitPolicyRequired()310     public boolean isExplicitPolicyRequired()
311     {
312         return baseParameters.isExplicitPolicyRequired();
313     }
314 
isAnyPolicyInhibited()315     public boolean isAnyPolicyInhibited()
316     {
317         return baseParameters.isAnyPolicyInhibited();
318     }
319 
isPolicyMappingInhibited()320     public boolean isPolicyMappingInhibited()
321     {
322         return baseParameters.isPolicyMappingInhibited();
323     }
324 
getCertPathCheckers()325     public List getCertPathCheckers()
326     {
327         return baseParameters.getCertPathCheckers();
328     }
329 
getCertStores()330     public List<CertStore> getCertStores()
331     {
332         return baseParameters.getCertStores();
333     }
334 
isRevocationEnabled()335     public boolean isRevocationEnabled()
336     {
337         return revocationEnabled;
338     }
339 
340 }
341