001 /* PKIXParameters.java -- parameters for the PKIX cert path algorithm
002 Copyright (C) 2003 Free Software Foundation, Inc.
003
004 This file is part of GNU Classpath.
005
006 GNU Classpath is free software; you can redistribute it and/or modify
007 it under the terms of the GNU General Public License as published by
008 the Free Software Foundation; either version 2, or (at your option)
009 any later version.
010
011 GNU Classpath is distributed in the hope that it will be useful, but
012 WITHOUT ANY WARRANTY; without even the implied warranty of
013 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
014 General Public License for more details.
015
016 You should have received a copy of the GNU General Public License
017 along with GNU Classpath; see the file COPYING. If not, write to the
018 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
019 02110-1301 USA.
020
021 Linking this library statically or dynamically with other modules is
022 making a combined work based on this library. Thus, the terms and
023 conditions of the GNU General Public License cover the whole
024 combination.
025
026 As a special exception, the copyright holders of this library give you
027 permission to link this library with independent modules to produce an
028 executable, regardless of the license terms of these independent
029 modules, and to copy and distribute the resulting executable under
030 terms of your choice, provided that you also meet, for each linked
031 independent module, the terms and conditions of the license of that
032 module. An independent module is a module which is not derived from
033 or based on this library. If you modify this library, you may extend
034 this exception to your version of the library, but you are not
035 obligated to do so. If you do not wish to do so, delete this
036 exception statement from your version. */
037
038
039 package java.security.cert;
040
041 import java.security.InvalidAlgorithmParameterException;
042 import java.security.KeyStore;
043 import java.security.KeyStoreException;
044
045 import java.util.Collections;
046 import java.util.Date;
047 import java.util.Enumeration;
048 import java.util.HashSet;
049 import java.util.Iterator;
050 import java.util.LinkedList;
051 import java.util.List;
052 import java.util.Set;
053
054 /**
055 * Parameters for verifying certificate paths using the PKIX
056 * (Public-Key Infrastructure (X.509)) algorithm.
057 *
058 * @see CertPathBuilder
059 * @since 1.4
060 */
061 public class PKIXParameters implements CertPathParameters
062 {
063
064 // Fields.
065 // ------------------------------------------------------------------------
066
067 /** The trusted certificates. */
068 private final Set trustAnchors;
069
070 /** The set of initial policy identifiers. */
071 private final Set initPolicies;
072
073 /** The list of certificate stores. */
074 private final List certStores;
075
076 /** The list of path checkers. */
077 private final List pathCheckers;
078
079 /** The revocation enabled flag. */
080 private boolean revocationEnabled;
081
082 /** The explicit policy required flag. */
083 private boolean exPolicyRequired;
084
085 /** The policy mapping inhibited flag. */
086 private boolean policyMappingInhibited;
087
088 /** The any policy inhibited flag. */
089 private boolean anyPolicyInhibited;
090
091 /** The policy qualifiers rejected flag. */
092 private boolean policyQualRejected;
093
094 /** The target validation date. */
095 private Date date;
096
097 /** The signature algorithm provider. */
098 private String sigProvider;
099
100 /** The target constraints. */
101 private CertSelector targetConstraints;
102
103 // Constructors.
104 // ------------------------------------------------------------------------
105
106 /**
107 * Create a new PKIXParameters object, populating the trusted
108 * certificates set with all certificates found in the given key
109 * store. All certificates found in the key store are assumed to be
110 * trusted by this constructor.
111 *
112 * @param keystore The key store.
113 * @throws KeyStoreException If the certificates cannot be retrieved
114 * from the key store.
115 * @throws InvalidAlgorithmParameterException If there are no
116 * certificates in the key store.
117 * @throws NullPointerException If <i>keystore</i> is null.
118 */
119 public PKIXParameters(KeyStore keystore)
120 throws KeyStoreException, InvalidAlgorithmParameterException
121 {
122 this();
123 for (Enumeration e = keystore.aliases(); e.hasMoreElements(); )
124 {
125 String alias = (String) e.nextElement();
126 if (!keystore.isCertificateEntry(alias))
127 continue;
128 Certificate cert = keystore.getCertificate(alias);
129 if (cert instanceof X509Certificate)
130 trustAnchors.add(new TrustAnchor((X509Certificate) cert, null));
131 }
132 if (trustAnchors.isEmpty())
133 throw new InvalidAlgorithmParameterException("no certs in the key store");
134 }
135
136 /**
137 * Create a new PKIXParameters object, populating the trusted
138 * certificates set with the elements of the given set, each of which
139 * must be a {@link TrustAnchor}.
140 *
141 * @param trustAnchors The set of trust anchors.
142 * @throws InvalidAlgorithmParameterException If there are no
143 * certificates in the set.
144 * @throws NullPointerException If <i>trustAnchors</i> is null.
145 * @throws ClassCastException If every element in <i>trustAnchors</i>
146 * is not a {@link TrustAnchor}.
147 */
148 public PKIXParameters(Set<TrustAnchor> trustAnchors)
149 throws InvalidAlgorithmParameterException
150 {
151 this();
152 setTrustAnchors(trustAnchors);
153 }
154
155 /**
156 * Default constructor.
157 */
158 private PKIXParameters()
159 {
160 trustAnchors = new HashSet();
161 initPolicies = new HashSet();
162 certStores = new LinkedList();
163 pathCheckers = new LinkedList();
164 revocationEnabled = true;
165 exPolicyRequired = false;
166 policyMappingInhibited = false;
167 anyPolicyInhibited = false;
168 policyQualRejected = true;
169 }
170
171 /**
172 * Copying constructor for cloning.
173 *
174 * @param that The instance being cloned.
175 */
176 private PKIXParameters(PKIXParameters that)
177 {
178 this();
179 this.trustAnchors.addAll(that.trustAnchors);
180 this.initPolicies.addAll(that.initPolicies);
181 this.certStores.addAll(that.certStores);
182 this.pathCheckers.addAll(that.pathCheckers);
183 this.revocationEnabled = that.revocationEnabled;
184 this.exPolicyRequired = that.exPolicyRequired;
185 this.policyMappingInhibited = that.policyMappingInhibited;
186 this.anyPolicyInhibited = that.anyPolicyInhibited;
187 this.policyQualRejected = that.policyQualRejected;
188 this.date = that.date;
189 this.sigProvider = that.sigProvider;
190 this.targetConstraints = that.targetConstraints != null
191 ? (CertSelector) that.targetConstraints.clone() : null;
192 }
193
194 // Instance methods.
195 // ------------------------------------------------------------------------
196
197 /**
198 * Returns an immutable set of trust anchors. The set returned will
199 * never be null and will never be empty.
200 *
201 * @return A (never null, never empty) immutable set of trust anchors.
202 */
203 public Set<TrustAnchor> getTrustAnchors()
204 {
205 return Collections.unmodifiableSet(trustAnchors);
206 }
207
208 /**
209 * Sets the trust anchors of this class, replacing the current trust
210 * anchors with those in the given set. The supplied set is copied to
211 * prevent modification.
212 *
213 * @param trustAnchors The new set of trust anchors.
214 * @throws InvalidAlgorithmParameterException If there are no
215 * certificates in the set.
216 * @throws NullPointerException If <i>trustAnchors</i> is null.
217 * @throws ClassCastException If every element in <i>trustAnchors</i>
218 * is not a {@link TrustAnchor}.
219 */
220 public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
221 throws InvalidAlgorithmParameterException
222 {
223 if (trustAnchors.isEmpty())
224 throw new InvalidAlgorithmParameterException("no trust anchors");
225 this.trustAnchors.clear();
226 for (Iterator i = trustAnchors.iterator(); i.hasNext(); )
227 {
228 this.trustAnchors.add((TrustAnchor) i.next());
229 }
230 }
231
232 /**
233 * Returns the set of initial policy identifiers (as OID strings). If
234 * any policy is accepted, this method returns the empty set.
235 *
236 * @return An immutable set of initial policy OID strings, or the
237 * empty set if any policy is acceptable.
238 */
239 public Set<String> getInitialPolicies()
240 {
241 return Collections.unmodifiableSet(initPolicies);
242 }
243
244 /**
245 * Sets the initial policy identifiers (as OID strings). If the
246 * argument is null or the empty set, then any policy identifier will
247 * be accepted.
248 *
249 * @param initPolicies The new set of policy strings, or null.
250 * @throws ClassCastException If any element in <i>initPolicies</i> is
251 * not a string.
252 */
253 public void setInitialPolicies(Set<String> initPolicies)
254 {
255 this.initPolicies.clear();
256 if (initPolicies == null)
257 return;
258 for (Iterator i = initPolicies.iterator(); i.hasNext(); )
259 {
260 this.initPolicies.add((String) i.next());
261 }
262 }
263
264 /**
265 * Add a {@link CertStore} to the list of cert stores.
266 *
267 * @param store The CertStore to add.
268 */
269 public void addCertStore(CertStore store)
270 {
271 if (store != null)
272 certStores.add(store);
273 }
274
275 /**
276 * Returns an immutable list of cert stores. This method never returns
277 * null.
278 *
279 * @return The list of cert stores.
280 */
281 public List<CertStore> getCertStores()
282 {
283 return Collections.unmodifiableList(certStores);
284 }
285
286 /**
287 * Set the cert stores. If the argument is null the list of cert
288 * stores will be empty.
289 *
290 * @param certStores The cert stores.
291 */
292 public void setCertStores(List<CertStore> certStores)
293 {
294 this.certStores.clear();
295 if (certStores == null)
296 return;
297 for (Iterator i = certStores.iterator(); i.hasNext(); )
298 {
299 this.certStores.add((CertStore) i.next());
300 }
301 }
302
303 /**
304 * Returns the value of the <i>revocation enabled</i> flag. The default
305 * value for this flag is <code>true</code>.
306 *
307 * @return The <i>revocation enabled</i> flag.
308 */
309 public boolean isRevocationEnabled()
310 {
311 return revocationEnabled;
312 }
313
314 /**
315 * Sets the value of the <i>revocation enabled</i> flag.
316 *
317 * @param value The new value.
318 */
319 public void setRevocationEnabled(boolean value)
320 {
321 revocationEnabled = value;
322 }
323
324 /**
325 * Returns the value of the <i>explicit policy required</i> flag. The
326 * default value of this flag is <code>false</code>.
327 *
328 * @return The <i>explicit policy required</i> flag.
329 */
330 public boolean isExplicitPolicyRequired()
331 {
332 return exPolicyRequired;
333 }
334
335 /**
336 * Sets the value of the <i>explicit policy required</i> flag.
337 *
338 * @param value The new value.
339 */
340 public void setExplicitPolicyRequired(boolean value)
341 {
342 exPolicyRequired = value;
343 }
344
345 /**
346 * Returns the value of the <i>policy mapping inhibited</i> flag. The
347 * default value of this flag is <code>false</code>.
348 *
349 * @return The <i>policy mapping inhibited</i> flag.
350 */
351 public boolean isPolicyMappingInhibited()
352 {
353 return policyMappingInhibited;
354 }
355
356 /**
357 * Sets the value of the <i>policy mapping inhibited</i> flag.
358 *
359 * @param value The new value.
360 */
361 public void setPolicyMappingInhibited(boolean value)
362 {
363 policyMappingInhibited = value;
364 }
365
366 /**
367 * Returns the value of the <i>any policy inhibited</i> flag. The
368 * default value of this flag is <code>false</code>.
369 *
370 * @return The <i>any policy inhibited</i> flag.
371 */
372 public boolean isAnyPolicyInhibited()
373 {
374 return anyPolicyInhibited;
375 }
376
377 /**
378 * Sets the value of the <i>any policy inhibited</i> flag.
379 *
380 * @param value The new value.
381 */
382 public void setAnyPolicyInhibited(boolean value)
383 {
384 anyPolicyInhibited = value;
385 }
386
387 /**
388 * Returns the value of the <i>policy qualifiers enabled</i> flag. The
389 * default value of this flag is <code>true</code>.
390 *
391 * @return The <i>policy qualifiers enabled</i> flag.
392 */
393 public boolean getPolicyQualifiersRejected()
394 {
395 return policyQualRejected;
396 }
397
398 /**
399 * Sets the value of the <i>policy qualifiers enabled</i> flag.
400 *
401 * @param value The new value.
402 */
403 public void setPolicyQualifiersRejected(boolean value)
404 {
405 policyQualRejected = value;
406 }
407
408 /**
409 * Returns the date for which the certificate path should be
410 * validated, or null if the current time should be used. The date
411 * object is copied to prevent subsequent modification.
412 *
413 * @return The date, or null if not set.
414 */
415 public Date getDate()
416 {
417 return date != null ? (Date) date.clone() : null;
418 }
419
420 /**
421 * Sets the date for which the certificate path should be validated,
422 * or null if the current time should be used.
423 *
424 * @param date The new date, or null.
425 */
426 public void setDate(Date date)
427 {
428 if (date != null)
429 this.date = (Date) date.clone();
430 else
431 this.date = null;
432 }
433
434 /**
435 * Add a certificate path checker.
436 *
437 * @param checker The certificate path checker to add.
438 */
439 public void addCertPathChecker(PKIXCertPathChecker checker)
440 {
441 if (checker != null)
442 pathCheckers.add(checker);
443 }
444
445 /**
446 * Returns an immutable list of all certificate path checkers.
447 *
448 * @return An immutable list of all certificate path checkers.
449 */
450 public List<PKIXCertPathChecker> getCertPathCheckers()
451 {
452 return Collections.unmodifiableList(pathCheckers);
453 }
454
455 /**
456 * Sets the certificate path checkers. If the argument is null, the
457 * list of checkers will merely be cleared.
458 *
459 * @param pathCheckers The new list of certificate path checkers.
460 * @throws ClassCastException If any element of <i>pathCheckers</i> is
461 * not a {@link PKIXCertPathChecker}.
462 */
463 public void setCertPathCheckers(List<PKIXCertPathChecker> pathCheckers)
464 {
465 this.pathCheckers.clear();
466 if (pathCheckers == null)
467 return;
468 for (Iterator i = pathCheckers.iterator(); i.hasNext(); )
469 {
470 this.pathCheckers.add((PKIXCertPathChecker) i.next());
471 }
472 }
473
474 /**
475 * Returns the signature algorithm provider, or null if not set.
476 *
477 * @return The signature algorithm provider, or null if not set.
478 */
479 public String getSigProvider()
480 {
481 return sigProvider;
482 }
483
484 /**
485 * Sets the signature algorithm provider, or null if there is no
486 * preferred provider.
487 *
488 * @param sigProvider The signature provider name.
489 */
490 public void setSigProvider(String sigProvider)
491 {
492 this.sigProvider = sigProvider;
493 }
494
495 /**
496 * Returns the constraints placed on the target certificate, or null
497 * if there are none. The target constraints are copied to prevent
498 * subsequent modification.
499 *
500 * @return The target constraints, or null.
501 */
502 public CertSelector getTargetCertConstraints()
503 {
504 return targetConstraints != null
505 ? (CertSelector) targetConstraints.clone() : null;
506 }
507
508 /**
509 * Sets the constraints placed on the target certificate.
510 *
511 * @param targetConstraints The target constraints.
512 */
513 public void setTargetCertConstraints(CertSelector targetConstraints)
514 {
515 this.targetConstraints = targetConstraints != null
516 ? (CertSelector) targetConstraints.clone() : null;
517 }
518
519 /**
520 * Returns a copy of these parameters.
521 *
522 * @return The copy.
523 */
524 public Object clone()
525 {
526 return new PKIXParameters(this);
527 }
528
529 /**
530 * Returns a printable representation of these parameters.
531 *
532 * @return A printable representation of these parameters.
533 */
534 public String toString() {
535 return "[ Trust Anchors: " + trustAnchors + "; Initial Policy OIDs="
536 + (initPolicies != null ? initPolicies.toString() : "any")
537 + "; Validity Date=" + date + "; Signature Provider="
538 + sigProvider + "; Default Revocation Enabled=" + revocationEnabled
539 + "; Explicit Policy Required=" + exPolicyRequired
540 + "; Policy Mapping Inhibited=" + policyMappingInhibited
541 + "; Any Policy Inhibited=" + anyPolicyInhibited
542 + "; Policy Qualifiers Rejected=" + policyQualRejected
543 + "; Target Cert Contstraints=" + targetConstraints
544 + "; Certification Path Checkers=" + pathCheckers
545 + "; CertStores=" + certStores + " ]";
546 }
547 }