Frames | No Frames |
1: /* PKIXParameters.java -- parameters for the PKIX cert path algorithm 2: Copyright (C) 2003 Free Software Foundation, Inc. 3: 4: This file is part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2, or (at your option) 9: any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; see the file COPYING. If not, write to the 18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19: 02110-1301 USA. 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. */ 37: 38: 39: package java.security.cert; 40: 41: import java.security.InvalidAlgorithmParameterException; 42: import java.security.KeyStore; 43: import java.security.KeyStoreException; 44: 45: import java.util.Collections; 46: import java.util.Date; 47: import java.util.Enumeration; 48: import java.util.HashSet; 49: import java.util.Iterator; 50: import java.util.LinkedList; 51: import java.util.List; 52: import java.util.Set; 53: 54: /** 55: * Parameters for verifying certificate paths using the PKIX 56: * (Public-Key Infrastructure (X.509)) algorithm. 57: * 58: * @see CertPathBuilder 59: * @since 1.4 60: */ 61: public class PKIXParameters implements CertPathParameters 62: { 63: 64: // Fields. 65: // ------------------------------------------------------------------------ 66: 67: /** The trusted certificates. */ 68: private final Set trustAnchors; 69: 70: /** The set of initial policy identifiers. */ 71: private final Set initPolicies; 72: 73: /** The list of certificate stores. */ 74: private final List certStores; 75: 76: /** The list of path checkers. */ 77: private final List pathCheckers; 78: 79: /** The revocation enabled flag. */ 80: private boolean revocationEnabled; 81: 82: /** The explicit policy required flag. */ 83: private boolean exPolicyRequired; 84: 85: /** The policy mapping inhibited flag. */ 86: private boolean policyMappingInhibited; 87: 88: /** The any policy inhibited flag. */ 89: private boolean anyPolicyInhibited; 90: 91: /** The policy qualifiers rejected flag. */ 92: private boolean policyQualRejected; 93: 94: /** The target validation date. */ 95: private Date date; 96: 97: /** The signature algorithm provider. */ 98: private String sigProvider; 99: 100: /** The target constraints. */ 101: private CertSelector targetConstraints; 102: 103: // Constructors. 104: // ------------------------------------------------------------------------ 105: 106: /** 107: * Create a new PKIXParameters object, populating the trusted 108: * certificates set with all certificates found in the given key 109: * store. All certificates found in the key store are assumed to be 110: * trusted by this constructor. 111: * 112: * @param keystore The key store. 113: * @throws KeyStoreException If the certificates cannot be retrieved 114: * from the key store. 115: * @throws InvalidAlgorithmParameterException If there are no 116: * certificates in the key store. 117: * @throws NullPointerException If <i>keystore</i> is null. 118: */ 119: public PKIXParameters(KeyStore keystore) 120: throws KeyStoreException, InvalidAlgorithmParameterException 121: { 122: this(); 123: for (Enumeration e = keystore.aliases(); e.hasMoreElements(); ) 124: { 125: String alias = (String) e.nextElement(); 126: if (!keystore.isCertificateEntry(alias)) 127: continue; 128: Certificate cert = keystore.getCertificate(alias); 129: if (cert instanceof X509Certificate) 130: trustAnchors.add(new TrustAnchor((X509Certificate) cert, null)); 131: } 132: if (trustAnchors.isEmpty()) 133: throw new InvalidAlgorithmParameterException("no certs in the key store"); 134: } 135: 136: /** 137: * Create a new PKIXParameters object, populating the trusted 138: * certificates set with the elements of the given set, each of which 139: * must be a {@link TrustAnchor}. 140: * 141: * @param trustAnchors The set of trust anchors. 142: * @throws InvalidAlgorithmParameterException If there are no 143: * certificates in the set. 144: * @throws NullPointerException If <i>trustAnchors</i> is null. 145: * @throws ClassCastException If every element in <i>trustAnchors</i> 146: * is not a {@link TrustAnchor}. 147: */ 148: public PKIXParameters(Set<TrustAnchor> trustAnchors) 149: throws InvalidAlgorithmParameterException 150: { 151: this(); 152: setTrustAnchors(trustAnchors); 153: } 154: 155: /** 156: * Default constructor. 157: */ 158: private PKIXParameters() 159: { 160: trustAnchors = new HashSet(); 161: initPolicies = new HashSet(); 162: certStores = new LinkedList(); 163: pathCheckers = new LinkedList(); 164: revocationEnabled = true; 165: exPolicyRequired = false; 166: policyMappingInhibited = false; 167: anyPolicyInhibited = false; 168: policyQualRejected = true; 169: } 170: 171: /** 172: * Copying constructor for cloning. 173: * 174: * @param that The instance being cloned. 175: */ 176: private PKIXParameters(PKIXParameters that) 177: { 178: this(); 179: this.trustAnchors.addAll(that.trustAnchors); 180: this.initPolicies.addAll(that.initPolicies); 181: this.certStores.addAll(that.certStores); 182: this.pathCheckers.addAll(that.pathCheckers); 183: this.revocationEnabled = that.revocationEnabled; 184: this.exPolicyRequired = that.exPolicyRequired; 185: this.policyMappingInhibited = that.policyMappingInhibited; 186: this.anyPolicyInhibited = that.anyPolicyInhibited; 187: this.policyQualRejected = that.policyQualRejected; 188: this.date = that.date; 189: this.sigProvider = that.sigProvider; 190: this.targetConstraints = that.targetConstraints != null 191: ? (CertSelector) that.targetConstraints.clone() : null; 192: } 193: 194: // Instance methods. 195: // ------------------------------------------------------------------------ 196: 197: /** 198: * Returns an immutable set of trust anchors. The set returned will 199: * never be null and will never be empty. 200: * 201: * @return A (never null, never empty) immutable set of trust anchors. 202: */ 203: public Set<TrustAnchor> getTrustAnchors() 204: { 205: return Collections.unmodifiableSet(trustAnchors); 206: } 207: 208: /** 209: * Sets the trust anchors of this class, replacing the current trust 210: * anchors with those in the given set. The supplied set is copied to 211: * prevent modification. 212: * 213: * @param trustAnchors The new set of trust anchors. 214: * @throws InvalidAlgorithmParameterException If there are no 215: * certificates in the set. 216: * @throws NullPointerException If <i>trustAnchors</i> is null. 217: * @throws ClassCastException If every element in <i>trustAnchors</i> 218: * is not a {@link TrustAnchor}. 219: */ 220: public void setTrustAnchors(Set<TrustAnchor> trustAnchors) 221: throws InvalidAlgorithmParameterException 222: { 223: if (trustAnchors.isEmpty()) 224: throw new InvalidAlgorithmParameterException("no trust anchors"); 225: this.trustAnchors.clear(); 226: for (Iterator i = trustAnchors.iterator(); i.hasNext(); ) 227: { 228: this.trustAnchors.add((TrustAnchor) i.next()); 229: } 230: } 231: 232: /** 233: * Returns the set of initial policy identifiers (as OID strings). If 234: * any policy is accepted, this method returns the empty set. 235: * 236: * @return An immutable set of initial policy OID strings, or the 237: * empty set if any policy is acceptable. 238: */ 239: public Set<String> getInitialPolicies() 240: { 241: return Collections.unmodifiableSet(initPolicies); 242: } 243: 244: /** 245: * Sets the initial policy identifiers (as OID strings). If the 246: * argument is null or the empty set, then any policy identifier will 247: * be accepted. 248: * 249: * @param initPolicies The new set of policy strings, or null. 250: * @throws ClassCastException If any element in <i>initPolicies</i> is 251: * not a string. 252: */ 253: public void setInitialPolicies(Set<String> initPolicies) 254: { 255: this.initPolicies.clear(); 256: if (initPolicies == null) 257: return; 258: for (Iterator i = initPolicies.iterator(); i.hasNext(); ) 259: { 260: this.initPolicies.add((String) i.next()); 261: } 262: } 263: 264: /** 265: * Add a {@link CertStore} to the list of cert stores. 266: * 267: * @param store The CertStore to add. 268: */ 269: public void addCertStore(CertStore store) 270: { 271: if (store != null) 272: certStores.add(store); 273: } 274: 275: /** 276: * Returns an immutable list of cert stores. This method never returns 277: * null. 278: * 279: * @return The list of cert stores. 280: */ 281: public List<CertStore> getCertStores() 282: { 283: return Collections.unmodifiableList(certStores); 284: } 285: 286: /** 287: * Set the cert stores. If the argument is null the list of cert 288: * stores will be empty. 289: * 290: * @param certStores The cert stores. 291: */ 292: public void setCertStores(List<CertStore> certStores) 293: { 294: this.certStores.clear(); 295: if (certStores == null) 296: return; 297: for (Iterator i = certStores.iterator(); i.hasNext(); ) 298: { 299: this.certStores.add((CertStore) i.next()); 300: } 301: } 302: 303: /** 304: * Returns the value of the <i>revocation enabled</i> flag. The default 305: * value for this flag is <code>true</code>. 306: * 307: * @return The <i>revocation enabled</i> flag. 308: */ 309: public boolean isRevocationEnabled() 310: { 311: return revocationEnabled; 312: } 313: 314: /** 315: * Sets the value of the <i>revocation enabled</i> flag. 316: * 317: * @param value The new value. 318: */ 319: public void setRevocationEnabled(boolean value) 320: { 321: revocationEnabled = value; 322: } 323: 324: /** 325: * Returns the value of the <i>explicit policy required</i> flag. The 326: * default value of this flag is <code>false</code>. 327: * 328: * @return The <i>explicit policy required</i> flag. 329: */ 330: public boolean isExplicitPolicyRequired() 331: { 332: return exPolicyRequired; 333: } 334: 335: /** 336: * Sets the value of the <i>explicit policy required</i> flag. 337: * 338: * @param value The new value. 339: */ 340: public void setExplicitPolicyRequired(boolean value) 341: { 342: exPolicyRequired = value; 343: } 344: 345: /** 346: * Returns the value of the <i>policy mapping inhibited</i> flag. The 347: * default value of this flag is <code>false</code>. 348: * 349: * @return The <i>policy mapping inhibited</i> flag. 350: */ 351: public boolean isPolicyMappingInhibited() 352: { 353: return policyMappingInhibited; 354: } 355: 356: /** 357: * Sets the value of the <i>policy mapping inhibited</i> flag. 358: * 359: * @param value The new value. 360: */ 361: public void setPolicyMappingInhibited(boolean value) 362: { 363: policyMappingInhibited = value; 364: } 365: 366: /** 367: * Returns the value of the <i>any policy inhibited</i> flag. The 368: * default value of this flag is <code>false</code>. 369: * 370: * @return The <i>any policy inhibited</i> flag. 371: */ 372: public boolean isAnyPolicyInhibited() 373: { 374: return anyPolicyInhibited; 375: } 376: 377: /** 378: * Sets the value of the <i>any policy inhibited</i> flag. 379: * 380: * @param value The new value. 381: */ 382: public void setAnyPolicyInhibited(boolean value) 383: { 384: anyPolicyInhibited = value; 385: } 386: 387: /** 388: * Returns the value of the <i>policy qualifiers enabled</i> flag. The 389: * default value of this flag is <code>true</code>. 390: * 391: * @return The <i>policy qualifiers enabled</i> flag. 392: */ 393: public boolean getPolicyQualifiersRejected() 394: { 395: return policyQualRejected; 396: } 397: 398: /** 399: * Sets the value of the <i>policy qualifiers enabled</i> flag. 400: * 401: * @param value The new value. 402: */ 403: public void setPolicyQualifiersRejected(boolean value) 404: { 405: policyQualRejected = value; 406: } 407: 408: /** 409: * Returns the date for which the certificate path should be 410: * validated, or null if the current time should be used. The date 411: * object is copied to prevent subsequent modification. 412: * 413: * @return The date, or null if not set. 414: */ 415: public Date getDate() 416: { 417: return date != null ? (Date) date.clone() : null; 418: } 419: 420: /** 421: * Sets the date for which the certificate path should be validated, 422: * or null if the current time should be used. 423: * 424: * @param date The new date, or null. 425: */ 426: public void setDate(Date date) 427: { 428: if (date != null) 429: this.date = (Date) date.clone(); 430: else 431: this.date = null; 432: } 433: 434: /** 435: * Add a certificate path checker. 436: * 437: * @param checker The certificate path checker to add. 438: */ 439: public void addCertPathChecker(PKIXCertPathChecker checker) 440: { 441: if (checker != null) 442: pathCheckers.add(checker); 443: } 444: 445: /** 446: * Returns an immutable list of all certificate path checkers. 447: * 448: * @return An immutable list of all certificate path checkers. 449: */ 450: public List<PKIXCertPathChecker> getCertPathCheckers() 451: { 452: return Collections.unmodifiableList(pathCheckers); 453: } 454: 455: /** 456: * Sets the certificate path checkers. If the argument is null, the 457: * list of checkers will merely be cleared. 458: * 459: * @param pathCheckers The new list of certificate path checkers. 460: * @throws ClassCastException If any element of <i>pathCheckers</i> is 461: * not a {@link PKIXCertPathChecker}. 462: */ 463: public void setCertPathCheckers(List<PKIXCertPathChecker> pathCheckers) 464: { 465: this.pathCheckers.clear(); 466: if (pathCheckers == null) 467: return; 468: for (Iterator i = pathCheckers.iterator(); i.hasNext(); ) 469: { 470: this.pathCheckers.add((PKIXCertPathChecker) i.next()); 471: } 472: } 473: 474: /** 475: * Returns the signature algorithm provider, or null if not set. 476: * 477: * @return The signature algorithm provider, or null if not set. 478: */ 479: public String getSigProvider() 480: { 481: return sigProvider; 482: } 483: 484: /** 485: * Sets the signature algorithm provider, or null if there is no 486: * preferred provider. 487: * 488: * @param sigProvider The signature provider name. 489: */ 490: public void setSigProvider(String sigProvider) 491: { 492: this.sigProvider = sigProvider; 493: } 494: 495: /** 496: * Returns the constraints placed on the target certificate, or null 497: * if there are none. The target constraints are copied to prevent 498: * subsequent modification. 499: * 500: * @return The target constraints, or null. 501: */ 502: public CertSelector getTargetCertConstraints() 503: { 504: return targetConstraints != null 505: ? (CertSelector) targetConstraints.clone() : null; 506: } 507: 508: /** 509: * Sets the constraints placed on the target certificate. 510: * 511: * @param targetConstraints The target constraints. 512: */ 513: public void setTargetCertConstraints(CertSelector targetConstraints) 514: { 515: this.targetConstraints = targetConstraints != null 516: ? (CertSelector) targetConstraints.clone() : null; 517: } 518: 519: /** 520: * Returns a copy of these parameters. 521: * 522: * @return The copy. 523: */ 524: public Object clone() 525: { 526: return new PKIXParameters(this); 527: } 528: 529: /** 530: * Returns a printable representation of these parameters. 531: * 532: * @return A printable representation of these parameters. 533: */ 534: public String toString() { 535: return "[ Trust Anchors: " + trustAnchors + "; Initial Policy OIDs=" 536: + (initPolicies != null ? initPolicies.toString() : "any") 537: + "; Validity Date=" + date + "; Signature Provider=" 538: + sigProvider + "; Default Revocation Enabled=" + revocationEnabled 539: + "; Explicit Policy Required=" + exPolicyRequired 540: + "; Policy Mapping Inhibited=" + policyMappingInhibited 541: + "; Any Policy Inhibited=" + anyPolicyInhibited 542: + "; Policy Qualifiers Rejected=" + policyQualRejected 543: + "; Target Cert Contstraints=" + targetConstraints 544: + "; Certification Path Checkers=" + pathCheckers 545: + "; CertStores=" + certStores + " ]"; 546: } 547: }