Source for java.security.cert.PKIXParameters

   1: /* PKIXParameters.java -- parameters for the PKIX cert path algorithm
   2:    Copyright (C) 2003 Free Software Foundation, Inc.
   3: 
   4: This file is part of GNU Classpath.
   5: 
   6: GNU Classpath is free software; you can redistribute it and/or modify
   7: it under the terms of the GNU General Public License as published by
   8: the Free Software Foundation; either version 2, or (at your option)
   9: any later version.
  10: 
  11: GNU Classpath is distributed in the hope that it will be useful, but
  12: WITHOUT ANY WARRANTY; without even the implied warranty of
  13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14: General Public License for more details.
  15: 
  16: You should have received a copy of the GNU General Public License
  17: along with GNU Classpath; see the file COPYING.  If not, write to the
  18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  19: 02110-1301 USA.
  20: 
  21: Linking this library statically or dynamically with other modules is
  22: making a combined work based on this library.  Thus, the terms and
  23: conditions of the GNU General Public License cover the whole
  24: combination.
  25: 
  26: As a special exception, the copyright holders of this library give you
  27: permission to link this library with independent modules to produce an
  28: executable, regardless of the license terms of these independent
  29: modules, and to copy and distribute the resulting executable under
  30: terms of your choice, provided that you also meet, for each linked
  31: independent module, the terms and conditions of the license of that
  32: module.  An independent module is a module which is not derived from
  33: or based on this library.  If you modify this library, you may extend
  34: this exception to your version of the library, but you are not
  35: obligated to do so.  If you do not wish to do so, delete this
  36: exception statement from your version. */
  37: 
  38: 
  39: package java.security.cert;
  40: 
  41: import java.security.InvalidAlgorithmParameterException;
  42: import java.security.KeyStore;
  43: import java.security.KeyStoreException;
  44: 
  45: import java.util.Collections;
  46: import java.util.Date;
  47: import java.util.Enumeration;
  48: import java.util.HashSet;
  49: import java.util.Iterator;
  50: import java.util.LinkedList;
  51: import java.util.List;
  52: import java.util.Set;
  53: 
  54: /**
  55:  * Parameters for verifying certificate paths using the PKIX
  56:  * (Public-Key Infrastructure (X.509)) algorithm.
  57:  *
  58:  * @see CertPathBuilder
  59:  * @since 1.4
  60:  */
  61: public class PKIXParameters implements CertPathParameters
  62: {
  63: 
  64:   // Fields.
  65:   // ------------------------------------------------------------------------
  66: 
  67:   /** The trusted certificates. */
  68:   private final Set trustAnchors;
  69: 
  70:   /** The set of initial policy identifiers. */
  71:   private final Set initPolicies;
  72: 
  73:   /** The list of certificate stores. */
  74:   private final List certStores;
  75: 
  76:   /** The list of path checkers. */
  77:   private final List pathCheckers;
  78: 
  79:   /** The revocation enabled flag. */
  80:   private boolean revocationEnabled;
  81: 
  82:   /** The explicit policy required flag. */
  83:   private boolean exPolicyRequired;
  84: 
  85:   /** The policy mapping inhibited flag. */
  86:   private boolean policyMappingInhibited;
  87: 
  88:   /** The any policy inhibited flag. */
  89:   private boolean anyPolicyInhibited;
  90: 
  91:   /** The policy qualifiers rejected flag. */
  92:   private boolean policyQualRejected;
  93: 
  94:   /** The target validation date. */
  95:   private Date date;
  96: 
  97:   /** The signature algorithm provider. */
  98:   private String sigProvider;
  99: 
 100:   /** The target constraints. */
 101:   private CertSelector targetConstraints;
 102: 
 103:   // Constructors.
 104:   // ------------------------------------------------------------------------
 105: 
 106:   /**
 107:    * Create a new PKIXParameters object, populating the trusted
 108:    * certificates set with all certificates found in the given key
 109:    * store. All certificates found in the key store are assumed to be
 110:    * trusted by this constructor.
 111:    *
 112:    * @param keystore The key store.
 113:    * @throws KeyStoreException If the certificates cannot be retrieved
 114:    *         from the key store.
 115:    * @throws InvalidAlgorithmParameterException If there are no
 116:    *         certificates in the key store.
 117:    * @throws NullPointerException If <i>keystore</i> is null.
 118:    */
 119:   public PKIXParameters(KeyStore keystore)
 120:     throws KeyStoreException, InvalidAlgorithmParameterException
 121:   {
 122:     this();
 123:     for (Enumeration e = keystore.aliases(); e.hasMoreElements(); )
 124:       {
 125:         String alias = (String) e.nextElement();
 126:         if (!keystore.isCertificateEntry(alias))
 127:           continue;
 128:         Certificate cert = keystore.getCertificate(alias);
 129:         if (cert instanceof X509Certificate)
 130:           trustAnchors.add(new TrustAnchor((X509Certificate) cert, null));
 131:       }
 132:     if (trustAnchors.isEmpty())
 133:       throw new InvalidAlgorithmParameterException("no certs in the key store");
 134:   }
 135: 
 136:   /**
 137:    * Create a new PKIXParameters object, populating the trusted
 138:    * certificates set with the elements of the given set, each of which
 139:    * must be a {@link TrustAnchor}.
 140:    *
 141:    * @param trustAnchors The set of trust anchors.
 142:    * @throws InvalidAlgorithmParameterException If there are no
 143:    *         certificates in the set.
 144:    * @throws NullPointerException If <i>trustAnchors</i> is null.
 145:    * @throws ClassCastException If every element in <i>trustAnchors</i>
 146:    *         is not a {@link TrustAnchor}.
 147:    */
 148:   public PKIXParameters(Set<TrustAnchor> trustAnchors)
 149:     throws InvalidAlgorithmParameterException
 150:   {
 151:     this();
 152:     setTrustAnchors(trustAnchors);
 153:   }
 154: 
 155:   /**
 156:    * Default constructor.
 157:    */
 158:   private PKIXParameters()
 159:   {
 160:     trustAnchors = new HashSet();
 161:     initPolicies = new HashSet();
 162:     certStores = new LinkedList();
 163:     pathCheckers = new LinkedList();
 164:     revocationEnabled = true;
 165:     exPolicyRequired = false;
 166:     policyMappingInhibited = false;
 167:     anyPolicyInhibited = false;
 168:     policyQualRejected = true;
 169:   }
 170: 
 171:   /**
 172:    * Copying constructor for cloning.
 173:    *
 174:    * @param that The instance being cloned.
 175:    */
 176:   private PKIXParameters(PKIXParameters that)
 177:   {
 178:     this();
 179:     this.trustAnchors.addAll(that.trustAnchors);
 180:     this.initPolicies.addAll(that.initPolicies);
 181:     this.certStores.addAll(that.certStores);
 182:     this.pathCheckers.addAll(that.pathCheckers);
 183:     this.revocationEnabled = that.revocationEnabled;
 184:     this.exPolicyRequired = that.exPolicyRequired;
 185:     this.policyMappingInhibited = that.policyMappingInhibited;
 186:     this.anyPolicyInhibited = that.anyPolicyInhibited;
 187:     this.policyQualRejected = that.policyQualRejected;
 188:     this.date = that.date;
 189:     this.sigProvider = that.sigProvider;
 190:     this.targetConstraints = that.targetConstraints != null
 191:       ? (CertSelector) that.targetConstraints.clone() : null;
 192:   }
 193: 
 194:   // Instance methods.
 195:   // ------------------------------------------------------------------------
 196: 
 197:   /**
 198:    * Returns an immutable set of trust anchors. The set returned will
 199:    * never be null and will never be empty.
 200:    *
 201:    * @return A (never null, never empty) immutable set of trust anchors.
 202:    */
 203:   public Set<TrustAnchor> getTrustAnchors()
 204:   {
 205:     return Collections.unmodifiableSet(trustAnchors);
 206:   }
 207: 
 208:   /**
 209:    * Sets the trust anchors of this class, replacing the current trust
 210:    * anchors with those in the given set. The supplied set is copied to
 211:    * prevent modification.
 212:    *
 213:    * @param trustAnchors The new set of trust anchors.
 214:    * @throws InvalidAlgorithmParameterException If there are no
 215:    *         certificates in the set.
 216:    * @throws NullPointerException If <i>trustAnchors</i> is null.
 217:    * @throws ClassCastException If every element in <i>trustAnchors</i>
 218:    *         is not a {@link TrustAnchor}.
 219:    */
 220:   public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
 221:     throws InvalidAlgorithmParameterException
 222:   {
 223:     if (trustAnchors.isEmpty())
 224:       throw new InvalidAlgorithmParameterException("no trust anchors");
 225:     this.trustAnchors.clear();
 226:     for (Iterator i = trustAnchors.iterator(); i.hasNext(); )
 227:       {
 228:         this.trustAnchors.add((TrustAnchor) i.next());
 229:       }
 230:   }
 231: 
 232:   /**
 233:    * Returns the set of initial policy identifiers (as OID strings). If
 234:    * any policy is accepted, this method returns the empty set.
 235:    *
 236:    * @return An immutable set of initial policy OID strings, or the
 237:    *         empty set if any policy is acceptable.
 238:    */
 239:   public Set<String> getInitialPolicies()
 240:   {
 241:     return Collections.unmodifiableSet(initPolicies);
 242:   }
 243: 
 244:   /**
 245:    * Sets the initial policy identifiers (as OID strings). If the
 246:    * argument is null or the empty set, then any policy identifier will
 247:    * be accepted.
 248:    *
 249:    * @param initPolicies The new set of policy strings, or null.
 250:    * @throws ClassCastException If any element in <i>initPolicies</i> is
 251:    *         not a string.
 252:    */
 253:   public void setInitialPolicies(Set<String> initPolicies)
 254:   {
 255:     this.initPolicies.clear();
 256:     if (initPolicies == null)
 257:       return;
 258:     for (Iterator i = initPolicies.iterator(); i.hasNext(); )
 259:       {
 260:         this.initPolicies.add((String) i.next());
 261:       }
 262:   }
 263: 
 264:   /**
 265:    * Add a {@link CertStore} to the list of cert stores.
 266:    *
 267:    * @param store The CertStore to add.
 268:    */
 269:   public void addCertStore(CertStore store)
 270:   {
 271:     if (store != null)
 272:       certStores.add(store);
 273:   }
 274: 
 275:   /**
 276:    * Returns an immutable list of cert stores. This method never returns
 277:    * null.
 278:    *
 279:    * @return The list of cert stores.
 280:    */
 281:   public List<CertStore> getCertStores()
 282:   {
 283:     return Collections.unmodifiableList(certStores);
 284:   }
 285: 
 286:   /**
 287:    * Set the cert stores. If the argument is null the list of cert
 288:    * stores will be empty.
 289:    *
 290:    * @param certStores The cert stores.
 291:    */
 292:   public void setCertStores(List<CertStore> certStores)
 293:   {
 294:     this.certStores.clear();
 295:     if (certStores == null)
 296:       return;
 297:     for (Iterator i = certStores.iterator(); i.hasNext(); )
 298:       {
 299:         this.certStores.add((CertStore) i.next());
 300:       }
 301:   }
 302: 
 303:   /**
 304:    * Returns the value of the <i>revocation enabled</i> flag. The default
 305:    * value for this flag is <code>true</code>.
 306:    *
 307:    * @return The <i>revocation enabled</i> flag.
 308:    */
 309:   public boolean isRevocationEnabled()
 310:   {
 311:     return revocationEnabled;
 312:   }
 313: 
 314:   /**
 315:    * Sets the value of the <i>revocation enabled</i> flag.
 316:    *
 317:    * @param value The new value.
 318:    */
 319:   public void setRevocationEnabled(boolean value)
 320:   {
 321:     revocationEnabled = value;
 322:   }
 323: 
 324:   /**
 325:    * Returns the value of the <i>explicit policy required</i> flag. The
 326:    * default value of this flag is <code>false</code>.
 327:    *
 328:    * @return The <i>explicit policy required</i> flag.
 329:    */
 330:   public boolean isExplicitPolicyRequired()
 331:   {
 332:     return exPolicyRequired;
 333:   }
 334: 
 335:   /**
 336:    * Sets the value of the <i>explicit policy required</i> flag.
 337:    *
 338:    * @param value The new value.
 339:    */
 340:   public void setExplicitPolicyRequired(boolean value)
 341:   {
 342:     exPolicyRequired = value;
 343:   }
 344: 
 345:   /**
 346:    * Returns the value of the <i>policy mapping inhibited</i> flag. The
 347:    * default value of this flag is <code>false</code>.
 348:    *
 349:    * @return The <i>policy mapping inhibited</i> flag.
 350:    */
 351:   public boolean isPolicyMappingInhibited()
 352:   {
 353:     return policyMappingInhibited;
 354:   }
 355: 
 356:   /**
 357:    * Sets the value of the <i>policy mapping inhibited</i> flag.
 358:    *
 359:    * @param value The new value.
 360:    */
 361:   public void setPolicyMappingInhibited(boolean value)
 362:   {
 363:     policyMappingInhibited = value;
 364:   }
 365: 
 366:   /**
 367:    * Returns the value of the <i>any policy inhibited</i> flag. The
 368:    * default value of this flag is <code>false</code>.
 369:    *
 370:    * @return The <i>any policy inhibited</i> flag.
 371:    */
 372:   public boolean isAnyPolicyInhibited()
 373:   {
 374:     return anyPolicyInhibited;
 375:   }
 376: 
 377:   /**
 378:    * Sets the value of the <i>any policy inhibited</i> flag.
 379:    *
 380:    * @param value The new value.
 381:    */
 382:   public void setAnyPolicyInhibited(boolean value)
 383:   {
 384:     anyPolicyInhibited = value;
 385:   }
 386: 
 387:   /**
 388:    * Returns the value of the <i>policy qualifiers enabled</i> flag. The
 389:    * default value of this flag is <code>true</code>.
 390:    *
 391:    * @return The <i>policy qualifiers enabled</i> flag.
 392:    */
 393:   public boolean getPolicyQualifiersRejected()
 394:   {
 395:     return policyQualRejected;
 396:   }
 397: 
 398:   /**
 399:    * Sets the value of the <i>policy qualifiers enabled</i> flag.
 400:    *
 401:    * @param value The new value.
 402:    */
 403:   public void setPolicyQualifiersRejected(boolean value)
 404:   {
 405:     policyQualRejected = value;
 406:   }
 407: 
 408:   /**
 409:    * Returns the date for which the certificate path should be
 410:    * validated, or null if the current time should be used. The date
 411:    * object is copied to prevent subsequent modification.
 412:    *
 413:    * @return The date, or null if not set.
 414:    */
 415:   public Date getDate()
 416:   {
 417:     return date != null ? (Date) date.clone() : null;
 418:   }
 419: 
 420:   /**
 421:    * Sets the date for which the certificate path should be validated,
 422:    * or null if the current time should be used.
 423:    *
 424:    * @param date The new date, or null.
 425:    */
 426:   public void setDate(Date date)
 427:   {
 428:     if (date != null)
 429:       this.date = (Date) date.clone();
 430:     else
 431:       this.date = null;
 432:   }
 433: 
 434:   /**
 435:    * Add a certificate path checker.
 436:    *
 437:    * @param checker The certificate path checker to add.
 438:    */
 439:   public void addCertPathChecker(PKIXCertPathChecker checker)
 440:   {
 441:     if (checker != null)
 442:       pathCheckers.add(checker);
 443:   }
 444: 
 445:   /**
 446:    * Returns an immutable list of all certificate path checkers.
 447:    *
 448:    * @return An immutable list of all certificate path checkers.
 449:    */
 450:   public List<PKIXCertPathChecker> getCertPathCheckers()
 451:   {
 452:     return Collections.unmodifiableList(pathCheckers);
 453:   }
 454: 
 455:   /**
 456:    * Sets the certificate path checkers. If the argument is null, the
 457:    * list of checkers will merely be cleared.
 458:    *
 459:    * @param pathCheckers The new list of certificate path checkers.
 460:    * @throws ClassCastException If any element of <i>pathCheckers</i> is
 461:    *         not a {@link PKIXCertPathChecker}.
 462:    */
 463:   public void setCertPathCheckers(List<PKIXCertPathChecker> pathCheckers)
 464:   {
 465:     this.pathCheckers.clear();
 466:     if (pathCheckers == null)
 467:       return;
 468:     for (Iterator i = pathCheckers.iterator(); i.hasNext(); )
 469:       {
 470:         this.pathCheckers.add((PKIXCertPathChecker) i.next());
 471:       }
 472:   }
 473: 
 474:   /**
 475:    * Returns the signature algorithm provider, or null if not set.
 476:    *
 477:    * @return The signature algorithm provider, or null if not set.
 478:    */
 479:   public String getSigProvider()
 480:   {
 481:     return sigProvider;
 482:   }
 483: 
 484:   /**
 485:    * Sets the signature algorithm provider, or null if there is no
 486:    * preferred provider.
 487:    *
 488:    * @param sigProvider The signature provider name.
 489:    */
 490:   public void setSigProvider(String sigProvider)
 491:   {
 492:     this.sigProvider = sigProvider;
 493:   }
 494: 
 495:   /**
 496:    * Returns the constraints placed on the target certificate, or null
 497:    * if there are none. The target constraints are copied to prevent
 498:    * subsequent modification.
 499:    *
 500:    * @return The target constraints, or null.
 501:    */
 502:   public CertSelector getTargetCertConstraints()
 503:   {
 504:     return targetConstraints != null
 505:       ? (CertSelector) targetConstraints.clone() : null;
 506:   }
 507: 
 508:   /**
 509:    * Sets the constraints placed on the target certificate.
 510:    *
 511:    * @param targetConstraints The target constraints.
 512:    */
 513:   public void setTargetCertConstraints(CertSelector targetConstraints)
 514:   {
 515:     this.targetConstraints = targetConstraints != null
 516:       ? (CertSelector) targetConstraints.clone() : null;
 517:   }
 518: 
 519:   /**
 520:    * Returns a copy of these parameters.
 521:    *
 522:    * @return The copy.
 523:    */
 524:   public Object clone()
 525:   {
 526:     return new PKIXParameters(this);
 527:   }
 528: 
 529:   /**
 530:    * Returns a printable representation of these parameters.
 531:    *
 532:    * @return A printable representation of these parameters.
 533:    */
 534:   public String toString() {
 535:     return "[ Trust Anchors: " + trustAnchors + "; Initial Policy OIDs="
 536:       + (initPolicies != null ? initPolicies.toString() : "any")
 537:       + "; Validity Date=" + date + "; Signature Provider="
 538:       + sigProvider + "; Default Revocation Enabled=" + revocationEnabled
 539:       + "; Explicit Policy Required=" + exPolicyRequired
 540:       + "; Policy Mapping Inhibited=" + policyMappingInhibited
 541:       + "; Any Policy Inhibited=" + anyPolicyInhibited
 542:       + "; Policy Qualifiers Rejected=" + policyQualRejected
 543:       + "; Target Cert Contstraints=" + targetConstraints
 544:       + "; Certification Path Checkers=" + pathCheckers
 545:       + "; CertStores=" + certStores + " ]";
 546:   }
 547: }