1 /* 2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security.cert; 27 28 import java.security.InvalidAlgorithmParameterException; 29 import java.security.KeyStore; 30 import java.security.KeyStoreException; 31 import java.util.ArrayList; 32 import java.util.Collections; 33 import java.util.Date; 34 import java.util.Enumeration; 35 import java.util.HashSet; 36 import java.util.Iterator; 37 import java.util.List; 38 import java.util.Set; 39 40 /** 41 * Parameters used as input for the PKIX {@code CertPathValidator} 42 * algorithm. 43 * <p> 44 * A PKIX {@code CertPathValidator} uses these parameters to 45 * validate a {@code CertPath} according to the PKIX certification path 46 * validation algorithm. 47 * 48 * <p>To instantiate a {@code PKIXParameters} object, an 49 * application must specify one or more <i>most-trusted CAs</i> as defined by 50 * the PKIX certification path validation algorithm. The most-trusted CAs 51 * can be specified using one of two constructors. An application 52 * can call {@link #PKIXParameters(Set) PKIXParameters(Set)}, 53 * specifying a {@code Set} of {@code TrustAnchor} objects, each 54 * of which identify a most-trusted CA. Alternatively, an application can call 55 * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a 56 * {@code KeyStore} instance containing trusted certificate entries, each 57 * of which will be considered as a most-trusted CA. 58 * <p> 59 * Once a {@code PKIXParameters} object has been created, other parameters 60 * can be specified (by calling {@link #setInitialPolicies setInitialPolicies} 61 * or {@link #setDate setDate}, for instance) and then the 62 * {@code PKIXParameters} is passed along with the {@code CertPath} 63 * to be validated to {@link CertPathValidator#validate 64 * CertPathValidator.validate}. 65 * <p> 66 * Any parameter that is not set (or is set to {@code null}) will 67 * be set to the default value for that parameter. The default value for the 68 * {@code date} parameter is {@code null}, which indicates 69 * the current time when the path is validated. The default for the 70 * remaining parameters is the least constrained. 71 * <p> 72 * <b>Concurrent Access</b> 73 * <p> 74 * Unless otherwise specified, the methods defined in this class are not 75 * thread-safe. Multiple threads that need to access a single 76 * object concurrently should synchronize amongst themselves and 77 * provide the necessary locking. Multiple threads each manipulating 78 * separate objects need not synchronize. 79 * 80 * @see CertPathValidator 81 * 82 * @since 1.4 83 * @author Sean Mullan 84 * @author Yassir Elley 85 */ 86 public class PKIXParameters implements CertPathParameters { 87 88 private Set<TrustAnchor> unmodTrustAnchors; 89 private Date date; 90 private List<PKIXCertPathChecker> certPathCheckers; 91 private String sigProvider; 92 private boolean revocationEnabled = true; 93 private Set<String> unmodInitialPolicies; 94 private boolean explicitPolicyRequired = false; 95 private boolean policyMappingInhibited = false; 96 private boolean anyPolicyInhibited = false; 97 private boolean policyQualifiersRejected = true; 98 private List<CertStore> certStores; 99 private CertSelector certSelector; 100 101 /** 102 * Creates an instance of {@code PKIXParameters} with the specified 103 * {@code Set} of most-trusted CAs. Each element of the 104 * set is a {@link TrustAnchor TrustAnchor}. 105 * <p> 106 * Note that the {@code Set} is copied to protect against 107 * subsequent modifications. 108 * 109 * @param trustAnchors a {@code Set} of {@code TrustAnchor}s 110 * @throws InvalidAlgorithmParameterException if the specified 111 * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)} 112 * @throws NullPointerException if the specified {@code Set} is 113 * {@code null} 114 * @throws ClassCastException if any of the elements in the {@code Set} 115 * are not of type {@code java.security.cert.TrustAnchor} 116 */ PKIXParameters(Set<TrustAnchor> trustAnchors)117 public PKIXParameters(Set<TrustAnchor> trustAnchors) 118 throws InvalidAlgorithmParameterException 119 { 120 setTrustAnchors(trustAnchors); 121 122 this.unmodInitialPolicies = Collections.<String>emptySet(); 123 this.certPathCheckers = new ArrayList<PKIXCertPathChecker>(); 124 this.certStores = new ArrayList<CertStore>(); 125 } 126 127 /** 128 * Creates an instance of {@code PKIXParameters} that 129 * populates the set of most-trusted CAs from the trusted 130 * certificate entries contained in the specified {@code KeyStore}. 131 * Only keystore entries that contain trusted {@code X509Certificates} 132 * are considered; all other certificate types are ignored. 133 * 134 * @param keystore a {@code KeyStore} from which the set of 135 * most-trusted CAs will be populated 136 * @throws KeyStoreException if the keystore has not been initialized 137 * @throws InvalidAlgorithmParameterException if the keystore does 138 * not contain at least one trusted certificate entry 139 * @throws NullPointerException if the keystore is {@code null} 140 */ PKIXParameters(KeyStore keystore)141 public PKIXParameters(KeyStore keystore) 142 throws KeyStoreException, InvalidAlgorithmParameterException 143 { 144 if (keystore == null) 145 throw new NullPointerException("the keystore parameter must be " + 146 "non-null"); 147 Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>(); 148 Enumeration<String> aliases = keystore.aliases(); 149 while (aliases.hasMoreElements()) { 150 String alias = aliases.nextElement(); 151 if (keystore.isCertificateEntry(alias)) { 152 Certificate cert = keystore.getCertificate(alias); 153 if (cert instanceof X509Certificate) 154 hashSet.add(new TrustAnchor((X509Certificate)cert, null)); 155 } 156 } 157 setTrustAnchors(hashSet); 158 this.unmodInitialPolicies = Collections.<String>emptySet(); 159 this.certPathCheckers = new ArrayList<PKIXCertPathChecker>(); 160 this.certStores = new ArrayList<CertStore>(); 161 } 162 163 /** 164 * Returns an immutable {@code Set} of the most-trusted 165 * CAs. 166 * 167 * @return an immutable {@code Set} of {@code TrustAnchor}s 168 * (never {@code null}) 169 * 170 * @see #setTrustAnchors 171 */ getTrustAnchors()172 public Set<TrustAnchor> getTrustAnchors() { 173 return this.unmodTrustAnchors; 174 } 175 176 /** 177 * Sets the {@code Set} of most-trusted CAs. 178 * <p> 179 * Note that the {@code Set} is copied to protect against 180 * subsequent modifications. 181 * 182 * @param trustAnchors a {@code Set} of {@code TrustAnchor}s 183 * @throws InvalidAlgorithmParameterException if the specified 184 * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)} 185 * @throws NullPointerException if the specified {@code Set} is 186 * {@code null} 187 * @throws ClassCastException if any of the elements in the set 188 * are not of type {@code java.security.cert.TrustAnchor} 189 * 190 * @see #getTrustAnchors 191 */ setTrustAnchors(Set<TrustAnchor> trustAnchors)192 public void setTrustAnchors(Set<TrustAnchor> trustAnchors) 193 throws InvalidAlgorithmParameterException 194 { 195 if (trustAnchors == null) { 196 throw new NullPointerException("the trustAnchors parameters must" + 197 " be non-null"); 198 } 199 if (trustAnchors.isEmpty()) { 200 throw new InvalidAlgorithmParameterException("the trustAnchors " + 201 "parameter must be non-empty"); 202 } 203 for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) { 204 if (!(i.next() instanceof TrustAnchor)) { 205 throw new ClassCastException("all elements of set must be " 206 + "of type java.security.cert.TrustAnchor"); 207 } 208 } 209 this.unmodTrustAnchors = Collections.unmodifiableSet 210 (new HashSet<TrustAnchor>(trustAnchors)); 211 } 212 213 /** 214 * Returns an immutable {@code Set} of initial 215 * policy identifiers (OID strings), indicating that any one of these 216 * policies would be acceptable to the certificate user for the purposes of 217 * certification path processing. The default return value is an empty 218 * {@code Set}, which is interpreted as meaning that any policy would 219 * be acceptable. 220 * 221 * @return an immutable {@code Set} of initial policy OIDs in 222 * {@code String} format, or an empty {@code Set} (implying any 223 * policy is acceptable). Never returns {@code null}. 224 * 225 * @see #setInitialPolicies 226 */ getInitialPolicies()227 public Set<String> getInitialPolicies() { 228 return this.unmodInitialPolicies; 229 } 230 231 /** 232 * Sets the {@code Set} of initial policy identifiers 233 * (OID strings), indicating that any one of these 234 * policies would be acceptable to the certificate user for the purposes of 235 * certification path processing. By default, any policy is acceptable 236 * (i.e. all policies), so a user that wants to allow any policy as 237 * acceptable does not need to call this method, or can call it 238 * with an empty {@code Set} (or {@code null}). 239 * <p> 240 * Note that the {@code Set} is copied to protect against 241 * subsequent modifications. 242 * 243 * @param initialPolicies a {@code Set} of initial policy 244 * OIDs in {@code String} format (or {@code null}) 245 * @throws ClassCastException if any of the elements in the set are 246 * not of type {@code String} 247 * 248 * @see #getInitialPolicies 249 */ setInitialPolicies(Set<String> initialPolicies)250 public void setInitialPolicies(Set<String> initialPolicies) { 251 if (initialPolicies != null) { 252 for (Iterator<String> i = initialPolicies.iterator(); 253 i.hasNext();) { 254 if (!(i.next() instanceof String)) 255 throw new ClassCastException("all elements of set must be " 256 + "of type java.lang.String"); 257 } 258 this.unmodInitialPolicies = 259 Collections.unmodifiableSet(new HashSet<String>(initialPolicies)); 260 } else 261 this.unmodInitialPolicies = Collections.<String>emptySet(); 262 } 263 264 /** 265 * Sets the list of {@code CertStore}s to be used in finding 266 * certificates and CRLs. May be {@code null}, in which case 267 * no {@code CertStore}s will be used. The first 268 * {@code CertStore}s in the list may be preferred to those that 269 * appear later. 270 * <p> 271 * Note that the {@code List} is copied to protect against 272 * subsequent modifications. 273 * 274 * @param stores a {@code List} of {@code CertStore}s (or 275 * {@code null}) 276 * @throws ClassCastException if any of the elements in the list are 277 * not of type {@code java.security.cert.CertStore} 278 * 279 * @see #getCertStores 280 */ setCertStores(List<CertStore> stores)281 public void setCertStores(List<CertStore> stores) { 282 if (stores == null) { 283 this.certStores = new ArrayList<CertStore>(); 284 } else { 285 for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) { 286 if (!(i.next() instanceof CertStore)) { 287 throw new ClassCastException("all elements of list must be " 288 + "of type java.security.cert.CertStore"); 289 } 290 } 291 this.certStores = new ArrayList<CertStore>(stores); 292 } 293 } 294 295 /** 296 * Adds a {@code CertStore} to the end of the list of 297 * {@code CertStore}s used in finding certificates and CRLs. 298 * 299 * @param store the {@code CertStore} to add. If {@code null}, 300 * the store is ignored (not added to list). 301 */ addCertStore(CertStore store)302 public void addCertStore(CertStore store) { 303 if (store != null) { 304 this.certStores.add(store); 305 } 306 } 307 308 /** 309 * Returns an immutable {@code List} of {@code CertStore}s that 310 * are used to find certificates and CRLs. 311 * 312 * @return an immutable {@code List} of {@code CertStore}s 313 * (may be empty, but never {@code null}) 314 * 315 * @see #setCertStores 316 */ getCertStores()317 public List<CertStore> getCertStores() { 318 return Collections.unmodifiableList 319 (new ArrayList<CertStore>(this.certStores)); 320 } 321 322 /** 323 * Sets the RevocationEnabled flag. If this flag is true, the default 324 * revocation checking mechanism of the underlying PKIX service provider 325 * will be used. If this flag is false, the default revocation checking 326 * mechanism will be disabled (not used). 327 * <p> 328 * When a {@code PKIXParameters} object is created, this flag is set 329 * to true. This setting reflects the most common strategy for checking 330 * revocation, since each service provider must support revocation 331 * checking to be PKIX compliant. Sophisticated applications should set 332 * this flag to false when it is not practical to use a PKIX service 333 * provider's default revocation checking mechanism or when an alternative 334 * revocation checking mechanism is to be substituted (by also calling the 335 * {@link #addCertPathChecker addCertPathChecker} or {@link 336 * #setCertPathCheckers setCertPathCheckers} methods). 337 * 338 * @param val the new value of the RevocationEnabled flag 339 */ setRevocationEnabled(boolean val)340 public void setRevocationEnabled(boolean val) { 341 revocationEnabled = val; 342 } 343 344 /** 345 * Checks the RevocationEnabled flag. If this flag is true, the default 346 * revocation checking mechanism of the underlying PKIX service provider 347 * will be used. If this flag is false, the default revocation checking 348 * mechanism will be disabled (not used). See the {@link 349 * #setRevocationEnabled setRevocationEnabled} method for more details on 350 * setting the value of this flag. 351 * 352 * @return the current value of the RevocationEnabled flag 353 */ isRevocationEnabled()354 public boolean isRevocationEnabled() { 355 return revocationEnabled; 356 } 357 358 /** 359 * Sets the ExplicitPolicyRequired flag. If this flag is true, an 360 * acceptable policy needs to be explicitly identified in every certificate. 361 * By default, the ExplicitPolicyRequired flag is false. 362 * 363 * @param val {@code true} if explicit policy is to be required, 364 * {@code false} otherwise 365 */ setExplicitPolicyRequired(boolean val)366 public void setExplicitPolicyRequired(boolean val) { 367 explicitPolicyRequired = val; 368 } 369 370 /** 371 * Checks if explicit policy is required. If this flag is true, an 372 * acceptable policy needs to be explicitly identified in every certificate. 373 * By default, the ExplicitPolicyRequired flag is false. 374 * 375 * @return {@code true} if explicit policy is required, 376 * {@code false} otherwise 377 */ isExplicitPolicyRequired()378 public boolean isExplicitPolicyRequired() { 379 return explicitPolicyRequired; 380 } 381 382 /** 383 * Sets the PolicyMappingInhibited flag. If this flag is true, policy 384 * mapping is inhibited. By default, policy mapping is not inhibited (the 385 * flag is false). 386 * 387 * @param val {@code true} if policy mapping is to be inhibited, 388 * {@code false} otherwise 389 */ setPolicyMappingInhibited(boolean val)390 public void setPolicyMappingInhibited(boolean val) { 391 policyMappingInhibited = val; 392 } 393 394 /** 395 * Checks if policy mapping is inhibited. If this flag is true, policy 396 * mapping is inhibited. By default, policy mapping is not inhibited (the 397 * flag is false). 398 * 399 * @return true if policy mapping is inhibited, false otherwise 400 */ isPolicyMappingInhibited()401 public boolean isPolicyMappingInhibited() { 402 return policyMappingInhibited; 403 } 404 405 /** 406 * Sets state to determine if the any policy OID should be processed 407 * if it is included in a certificate. By default, the any policy OID 408 * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()} 409 * returns {@code false}). 410 * 411 * @param val {@code true} if the any policy OID is to be 412 * inhibited, {@code false} otherwise 413 */ setAnyPolicyInhibited(boolean val)414 public void setAnyPolicyInhibited(boolean val) { 415 anyPolicyInhibited = val; 416 } 417 418 /** 419 * Checks whether the any policy OID should be processed if it 420 * is included in a certificate. 421 * 422 * @return {@code true} if the any policy OID is inhibited, 423 * {@code false} otherwise 424 */ isAnyPolicyInhibited()425 public boolean isAnyPolicyInhibited() { 426 return anyPolicyInhibited; 427 } 428 429 /** 430 * Sets the PolicyQualifiersRejected flag. If this flag is true, 431 * certificates that include policy qualifiers in a certificate 432 * policies extension that is marked critical are rejected. 433 * If the flag is false, certificates are not rejected on this basis. 434 * 435 * <p> When a {@code PKIXParameters} object is created, this flag is 436 * set to true. This setting reflects the most common (and simplest) 437 * strategy for processing policy qualifiers. Applications that want to use 438 * a more sophisticated policy must set this flag to false. 439 * <p> 440 * Note that the PKIX certification path validation algorithm specifies 441 * that any policy qualifier in a certificate policies extension that is 442 * marked critical must be processed and validated. Otherwise the 443 * certification path must be rejected. If the policyQualifiersRejected flag 444 * is set to false, it is up to the application to validate all policy 445 * qualifiers in this manner in order to be PKIX compliant. 446 * 447 * @param qualifiersRejected the new value of the PolicyQualifiersRejected 448 * flag 449 * @see #getPolicyQualifiersRejected 450 * @see PolicyQualifierInfo 451 */ setPolicyQualifiersRejected(boolean qualifiersRejected)452 public void setPolicyQualifiersRejected(boolean qualifiersRejected) { 453 policyQualifiersRejected = qualifiersRejected; 454 } 455 456 /** 457 * Gets the PolicyQualifiersRejected flag. If this flag is true, 458 * certificates that include policy qualifiers in a certificate policies 459 * extension that is marked critical are rejected. 460 * If the flag is false, certificates are not rejected on this basis. 461 * 462 * <p> When a {@code PKIXParameters} object is created, this flag is 463 * set to true. This setting reflects the most common (and simplest) 464 * strategy for processing policy qualifiers. Applications that want to use 465 * a more sophisticated policy must set this flag to false. 466 * 467 * @return the current value of the PolicyQualifiersRejected flag 468 * @see #setPolicyQualifiersRejected 469 */ getPolicyQualifiersRejected()470 public boolean getPolicyQualifiersRejected() { 471 return policyQualifiersRejected; 472 } 473 474 /** 475 * Returns the time for which the validity of the certification path 476 * should be determined. If {@code null}, the current time is used. 477 * <p> 478 * Note that the {@code Date} returned is copied to protect against 479 * subsequent modifications. 480 * 481 * @return the {@code Date}, or {@code null} if not set 482 * @see #setDate 483 */ getDate()484 public Date getDate() { 485 if (date == null) 486 return null; 487 else 488 return (Date) this.date.clone(); 489 } 490 491 /** 492 * Sets the time for which the validity of the certification path 493 * should be determined. If {@code null}, the current time is used. 494 * <p> 495 * Note that the {@code Date} supplied here is copied to protect 496 * against subsequent modifications. 497 * 498 * @param date the {@code Date}, or {@code null} for the 499 * current time 500 * @see #getDate 501 */ setDate(Date date)502 public void setDate(Date date) { 503 if (date != null) 504 this.date = (Date) date.clone(); 505 else 506 date = null; 507 } 508 509 /** 510 * Sets a {@code List} of additional certification path checkers. If 511 * the specified {@code List} contains an object that is not a 512 * {@code PKIXCertPathChecker}, it is ignored. 513 * <p> 514 * Each {@code PKIXCertPathChecker} specified implements 515 * additional checks on a certificate. Typically, these are checks to 516 * process and verify private extensions contained in certificates. 517 * Each {@code PKIXCertPathChecker} should be instantiated with any 518 * initialization parameters needed to execute the check. 519 * <p> 520 * This method allows sophisticated applications to extend a PKIX 521 * {@code CertPathValidator} or {@code CertPathBuilder}. 522 * Each of the specified {@code PKIXCertPathChecker}s will be called, 523 * in turn, by a PKIX {@code CertPathValidator} or 524 * {@code CertPathBuilder} for each certificate processed or 525 * validated. 526 * <p> 527 * Regardless of whether these additional {@code PKIXCertPathChecker}s 528 * are set, a PKIX {@code CertPathValidator} or 529 * {@code CertPathBuilder} must perform all of the required PKIX 530 * checks on each certificate. The one exception to this rule is if the 531 * RevocationEnabled flag is set to false (see the {@link 532 * #setRevocationEnabled setRevocationEnabled} method). 533 * <p> 534 * Note that the {@code List} supplied here is copied and each 535 * {@code PKIXCertPathChecker} in the list is cloned to protect 536 * against subsequent modifications. 537 * 538 * @param checkers a {@code List} of {@code PKIXCertPathChecker}s. 539 * May be {@code null}, in which case no additional checkers will be 540 * used. 541 * @throws ClassCastException if any of the elements in the list 542 * are not of type {@code java.security.cert.PKIXCertPathChecker} 543 * @see #getCertPathCheckers 544 */ setCertPathCheckers(List<PKIXCertPathChecker> checkers)545 public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) { 546 if (checkers != null) { 547 List<PKIXCertPathChecker> tmpList = 548 new ArrayList<PKIXCertPathChecker>(); 549 for (PKIXCertPathChecker checker : checkers) { 550 tmpList.add((PKIXCertPathChecker)checker.clone()); 551 } 552 this.certPathCheckers = tmpList; 553 } else { 554 this.certPathCheckers = new ArrayList<PKIXCertPathChecker>(); 555 } 556 } 557 558 /** 559 * Returns the {@code List} of certification path checkers. 560 * The returned {@code List} is immutable, and each 561 * {@code PKIXCertPathChecker} in the {@code List} is cloned 562 * to protect against subsequent modifications. 563 * 564 * @return an immutable {@code List} of 565 * {@code PKIXCertPathChecker}s (may be empty, but not 566 * {@code null}) 567 * @see #setCertPathCheckers 568 */ getCertPathCheckers()569 public List<PKIXCertPathChecker> getCertPathCheckers() { 570 List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>(); 571 for (PKIXCertPathChecker ck : certPathCheckers) { 572 tmpList.add((PKIXCertPathChecker)ck.clone()); 573 } 574 return Collections.unmodifiableList(tmpList); 575 } 576 577 /** 578 * Adds a {@code PKIXCertPathChecker} to the list of certification 579 * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers} 580 * method for more details. 581 * <p> 582 * Note that the {@code PKIXCertPathChecker} is cloned to protect 583 * against subsequent modifications. 584 * 585 * @param checker a {@code PKIXCertPathChecker} to add to the list of 586 * checks. If {@code null}, the checker is ignored (not added to list). 587 */ addCertPathChecker(PKIXCertPathChecker checker)588 public void addCertPathChecker(PKIXCertPathChecker checker) { 589 if (checker != null) { 590 certPathCheckers.add((PKIXCertPathChecker)checker.clone()); 591 } 592 } 593 594 /** 595 * Returns the signature provider's name, or {@code null} 596 * if not set. 597 * 598 * @return the signature provider's name (or {@code null}) 599 * @see #setSigProvider 600 */ getSigProvider()601 public String getSigProvider() { 602 return this.sigProvider; 603 } 604 605 /** 606 * Sets the signature provider's name. The specified provider will be 607 * preferred when creating {@link java.security.Signature Signature} 608 * objects. If {@code null} or not set, the first provider found 609 * supporting the algorithm will be used. 610 * 611 * @param sigProvider the signature provider's name (or {@code null}) 612 * @see #getSigProvider 613 */ setSigProvider(String sigProvider)614 public void setSigProvider(String sigProvider) { 615 this.sigProvider = sigProvider; 616 } 617 618 /** 619 * Returns the required constraints on the target certificate. 620 * The constraints are returned as an instance of {@code CertSelector}. 621 * If {@code null}, no constraints are defined. 622 * 623 * <p>Note that the {@code CertSelector} returned is cloned 624 * to protect against subsequent modifications. 625 * 626 * @return a {@code CertSelector} specifying the constraints 627 * on the target certificate (or {@code null}) 628 * @see #setTargetCertConstraints 629 */ getTargetCertConstraints()630 public CertSelector getTargetCertConstraints() { 631 if (certSelector != null) { 632 return (CertSelector) certSelector.clone(); 633 } else { 634 return null; 635 } 636 } 637 638 /** 639 * Sets the required constraints on the target certificate. 640 * The constraints are specified as an instance of 641 * {@code CertSelector}. If {@code null}, no constraints are 642 * defined. 643 * 644 * <p>Note that the {@code CertSelector} specified is cloned 645 * to protect against subsequent modifications. 646 * 647 * @param selector a {@code CertSelector} specifying the constraints 648 * on the target certificate (or {@code null}) 649 * @see #getTargetCertConstraints 650 */ setTargetCertConstraints(CertSelector selector)651 public void setTargetCertConstraints(CertSelector selector) { 652 if (selector != null) 653 certSelector = (CertSelector) selector.clone(); 654 else 655 certSelector = null; 656 } 657 658 /** 659 * Makes a copy of this {@code PKIXParameters} object. Changes 660 * to the copy will not affect the original and vice versa. 661 * 662 * @return a copy of this {@code PKIXParameters} object 663 */ clone()664 public Object clone() { 665 try { 666 PKIXParameters copy = (PKIXParameters)super.clone(); 667 668 // must clone these because addCertStore, et al. modify them 669 if (certStores != null) { 670 copy.certStores = new ArrayList<CertStore>(certStores); 671 } 672 if (certPathCheckers != null) { 673 copy.certPathCheckers = 674 new ArrayList<PKIXCertPathChecker>(certPathCheckers.size()); 675 for (PKIXCertPathChecker checker : certPathCheckers) { 676 copy.certPathCheckers.add( 677 (PKIXCertPathChecker)checker.clone()); 678 } 679 } 680 681 // other class fields are immutable to public, don't bother 682 // to clone the read-only fields. 683 return copy; 684 } catch (CloneNotSupportedException e) { 685 /* Cannot happen */ 686 throw new InternalError(e.toString(), e); 687 } 688 } 689 690 /** 691 * Returns a formatted string describing the parameters. 692 * 693 * @return a formatted string describing the parameters. 694 */ toString()695 public String toString() { 696 StringBuffer sb = new StringBuffer(); 697 sb.append("[\n"); 698 699 /* start with trusted anchor info */ 700 if (unmodTrustAnchors != null) { 701 sb.append(" Trust Anchors: " + unmodTrustAnchors.toString() 702 + "\n"); 703 } 704 705 /* now, append initial state information */ 706 if (unmodInitialPolicies != null) { 707 if (unmodInitialPolicies.isEmpty()) { 708 sb.append(" Initial Policy OIDs: any\n"); 709 } else { 710 sb.append(" Initial Policy OIDs: [" 711 + unmodInitialPolicies.toString() + "]\n"); 712 } 713 } 714 715 /* now, append constraints on all certificates in the path */ 716 sb.append(" Validity Date: " + String.valueOf(date) + "\n"); 717 sb.append(" Signature Provider: " + String.valueOf(sigProvider) + "\n"); 718 sb.append(" Default Revocation Enabled: " + revocationEnabled + "\n"); 719 sb.append(" Explicit Policy Required: " + explicitPolicyRequired + "\n"); 720 sb.append(" Policy Mapping Inhibited: " + policyMappingInhibited + "\n"); 721 sb.append(" Any Policy Inhibited: " + anyPolicyInhibited + "\n"); 722 sb.append(" Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n"); 723 724 /* now, append target cert requirements */ 725 sb.append(" Target Cert Constraints: " + String.valueOf(certSelector) + "\n"); 726 727 /* finally, append miscellaneous parameters */ 728 if (certPathCheckers != null) 729 sb.append(" Certification Path Checkers: [" 730 + certPathCheckers.toString() + "]\n"); 731 if (certStores != null) 732 sb.append(" CertStores: [" + certStores.toString() + "]\n"); 733 sb.append("]"); 734 return sb.toString(); 735 } 736 } 737