/*
 * @(#)PKIXParameters.java	1.14 03/01/23
 *
 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
 * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 */

package java.security.cert;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/**
 * Parameters used as input for the PKIX <code>CertPathValidator</code>
 * algorithm. 
 * <p>
 * A PKIX <code>CertPathValidator</code> uses these parameters to
 * validate a <code>CertPath</code> according to the PKIX certification path 
 * validation algorithm.
 *
 * <p>To instantiate a <code>PKIXParameters</code> object, an
 * application must specify one or more <i>most-trusted CAs</i> as defined by
 * the PKIX certification path validation algorithm. The most-trusted CAs
 * can be specified using one of two constructors. An application
 * can call {@link #PKIXParameters(Set) PKIXParameters(Set)}, 
 * specifying a <code>Set</code> of <code>TrustAnchor</code> objects, each
 * of which identify a most-trusted CA. Alternatively, an application can call 
 * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a 
 * <code>KeyStore</code> instance containing trusted certificate entries, each 
 * of which will be considered as a most-trusted CA.
 * <p>
 * Once a <code>PKIXParameters</code> object has been created, other parameters
 * can be specified (by calling {@link #setInitialPolicies setInitialPolicies} 
 * or {@link #setDate setDate}, for instance) and then the 
 * <code>PKIXParameters</code> is passed along with the <code>CertPath</code> 
 * to be validated to {@link CertPathValidator#validate 
 * CertPathValidator.validate}. 
 * <p>
 * Any parameter that is not set (or is set to <code>null</code>) will 
 * be set to the default value for that parameter. The default value for the 
 * <code>date</code> parameter is <code>null</code>, which indicates 
 * the current time when the path is validated. The default for the 
 * remaining parameters is the least constrained.
 * <p>
 * <b>Concurrent Access</b>
 * <p>
 * Unless otherwise specified, the methods defined in this class are not
 * thread-safe. Multiple threads that need to access a single
 * object concurrently should synchronize amongst themselves and
 * provide the necessary locking. Multiple threads each manipulating
 * separate objects need not synchronize.
 *
 * @see CertPathValidator
 *
 * @version 	1.14 01/23/03
 * @since	1.4
 * @author	Sean Mullan
 * @author	Yassir Elley
 */
public class PKIXParameters implements CertPathParameters {

    private Set unmodTrustAnchors;
    private Date date;
    private List certPathCheckers;
    private String sigProvider;
    private boolean revocationEnabled = true;
    private Set unmodInitialPolicies;
    private boolean explicitPolicyRequired = false;
    private boolean policyMappingInhibited = false;
    private boolean anyPolicyInhibited = false;
    private boolean policyQualifiersRejected = true;
    private List certStores;
    private CertSelector certSelector;

    /**
     * Creates an instance of <code>PKIXParameters</code> with the specified
     * <code>Set</code> of most-trusted CAs. Each element of the 
     * set is a {@link TrustAnchor TrustAnchor}.
     * <p>
     * Note that the <code>Set</code> is copied to protect against
     * subsequent modifications.
     *
     * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
     * @throws InvalidAlgorithmParameterException if the specified 
     * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
     * @throws NullPointerException if the specified <code>Set</code> is
     * <code>null</code>
     * @throws ClassCastException if any of the elements in the <code>Set</code>
     * are not of type <code>java.security.cert.TrustAnchor</code>
     */
    public PKIXParameters(Set trustAnchors)
        throws InvalidAlgorithmParameterException
    {
	setTrustAnchors(trustAnchors);
	this.unmodInitialPolicies = Collections.unmodifiableSet(new HashSet());
	this.certPathCheckers = new ArrayList();
	this.certStores = new ArrayList();
    }

    /**
     * Creates an instance of <code>PKIXParameters</code> that 
     * populates the set of most-trusted CAs from the trusted 
     * certificate entries contained in the specified <code>KeyStore</code>.
     * Only keystore entries that contain trusted <code>X509Certificates</code>
     * are considered; all other certificate types are ignored.
     * 
     * @param keystore a <code>KeyStore</code> from which the set of 
     * most-trusted CAs will be populated
     * @throws KeyStoreException if the keystore has not been initialized
     * @throws InvalidAlgorithmParameterException if the keystore does
     * not contain at least one trusted certificate entry
     * @throws NullPointerException if the keystore is <code>null</code>
     */
    public PKIXParameters(KeyStore keystore) 
        throws KeyStoreException, InvalidAlgorithmParameterException 
    {
	if (keystore == null)
	    throw new NullPointerException("the keystore parameter must be " +
		"non-null");
        HashSet hashSet = new HashSet();
        Enumeration aliases = keystore.aliases();
        while (aliases.hasMoreElements()) {
            String alias = (String) aliases.nextElement();
            if (keystore.isCertificateEntry(alias)) {
		Certificate cert = keystore.getCertificate(alias);
		if (cert instanceof X509Certificate)
                    hashSet.add(new TrustAnchor((X509Certificate)cert, null));
	    }
        }
  	setTrustAnchors(hashSet);
	this.unmodInitialPolicies = Collections.unmodifiableSet(new HashSet());
	this.certPathCheckers = new ArrayList();
	this.certStores = new ArrayList();
    }

    /**
     * Returns an immutable <code>Set</code> of the most-trusted 
     * CAs.
     *
     * @return an immutable <code>Set</code> of <code>TrustAnchor</code>s 
     * (never <code>null</code>)
     *
     * @see #setTrustAnchors
     */
    public Set getTrustAnchors() {
	return this.unmodTrustAnchors;
    }

    /**
     * Sets the <code>Set</code> of most-trusted CAs. 
     * <p>
     * Note that the <code>Set</code> is copied to protect against
     * subsequent modifications.
     *
     * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
     * @throws InvalidAlgorithmParameterException if the specified 
     * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
     * @throws NullPointerException if the specified <code>Set</code> is
     * <code>null</code>
     * @throws ClassCastException if any of the elements in the set
     * are not of type <code>java.security.cert.TrustAnchor</code>
     *
     * @see #getTrustAnchors
     */
    public void setTrustAnchors(Set trustAnchors) 
        throws InvalidAlgorithmParameterException 
    {
	if (trustAnchors == null) 
	    throw new NullPointerException("the trustAnchors parameters must" +
		" be non-null");
	if (trustAnchors.isEmpty())
	    throw new InvalidAlgorithmParameterException("the trustAnchors " +
		"parameter must be non-empty");
        for (Iterator i = trustAnchors.iterator(); i.hasNext();) {
            if (!(i.next() instanceof TrustAnchor))
	        throw new ClassCastException("all elements of set must be "
	            + "of type java.security.cert.TrustAnchor");
        }
        this.unmodTrustAnchors = 
	        Collections.unmodifiableSet(new HashSet(trustAnchors));
    }

    /**
     * Returns an immutable <code>Set</code> of initial
     * policy identifiers (OID strings), indicating that any one of these
     * policies would be acceptable to the certificate user for the purposes of
     * certification path processing. The default return value is an empty 
     * <code>Set</code>, which is interpreted as meaning that any policy would 
     * be acceptable.
     *
     * @return an immutable <code>Set</code> of initial policy OIDs in
     * <code>String</code> format, or an empty <code>Set</code> (implying any 
     * policy is acceptable). Never returns <code>null</code>.
     *
     * @see #setInitialPolicies
     */
    public Set getInitialPolicies() {
	return this.unmodInitialPolicies;
    }

    /**
     * Sets the <code>Set</code> of initial policy identifiers 
     * (OID strings), indicating that any one of these
     * policies would be acceptable to the certificate user for the purposes of
     * certification path processing. By default, any policy is acceptable 
     * (i.e. all policies), so a user that wants to allow any policy as
     * acceptable does not need to call this method, or can call it
     * with an empty <code>Set</code> (or <code>null</code>).
     * <p>
     * Note that the <code>Set</code> is copied to protect against
     * subsequent modifications.
     *
     * @param initialPolicies a <code>Set</code> of initial policy 
     * OIDs in <code>String</code> format (or <code>null</code>)
     * @throws ClassCastException if any of the elements in the set are
     * not of type <code>String</code>
     *
     * @see #getInitialPolicies
     */
    public void setInitialPolicies(Set initialPolicies) {
	if (initialPolicies != null) {
	    for (Iterator i = initialPolicies.iterator(); i.hasNext();) {
	        if (!(i.next() instanceof String))
		    throw new ClassCastException("all elements of set must be "
		        + "of type java.lang.String");
	    }
	    this.unmodInitialPolicies = 
		Collections.unmodifiableSet(new HashSet(initialPolicies));
	} else
	    this.unmodInitialPolicies = 
		Collections.unmodifiableSet(new HashSet());
    }
    
    /**
     * Sets the list of <code>CertStore</code>s to be used in finding
     * certificates and CRLs. May be <code>null</code>, in which case
     * no <code>CertStore</code>s will be used. The first
     * <code>CertStore</code>s in the list may be preferred to those that
     * appear later. 
     * <p>
     * Note that the <code>List</code> is copied to protect against 
     * subsequent modifications.
     *
     * @param stores a <code>List</code> of <code>CertStore</code>s (or 
     * <code>null</code>)
     * @throws ClassCastException if any of the elements in the list are
     * not of type <code>java.security.cert.CertStore</code>
     *
     * @see #getCertStores
     */
    public void setCertStores(List stores) {
        if (stores == null)
	    this.certStores = new ArrayList();
        else {
	    for (Iterator i = stores.iterator(); i.hasNext();) {
	        if (!(i.next() instanceof CertStore))
		    throw new ClassCastException("all elements of list must be "
		        + "of type java.security.cert.CertStore");
	    }
	    this.certStores = new ArrayList(stores);
	}
    }

    /**
     * Adds a <code>CertStore</code> to the end of the list of 
     * <code>CertStore</code>s used in finding certificates and CRLs.
     *
     * @param store the <code>CertStore</code> to add. If <code>null</code>,
     * the store is ignored (not added to list).
     */
    public void addCertStore(CertStore store) {
	if (store != null)
            this.certStores.add(store);
    }

    /**
     * Returns an immutable <code>List</code> of <code>CertStore</code>s that
     * are used to find certificates and CRLs.
     *
     * @return an immutable <code>List</code> of <code>CertStore</code>s 
     * (may be empty, but never <code>null</code>)
     *
     * @see #setCertStores
     */
    public List getCertStores() {
        return Collections.unmodifiableList(new ArrayList(this.certStores));
    }

    /**
     * Sets the RevocationEnabled flag. If this flag is true, the default
     * revocation checking mechanism of the underlying PKIX service provider 
     * will be used. If this flag is false, the default revocation checking 
     * mechanism will be disabled (not used). 
     * <p>
     * When a <code>PKIXParameters</code> object is created, this flag is set
     * to true. This setting reflects the most common strategy for checking
     * revocation, since each service provider must support revocation 
     * checking to be PKIX compliant. Sophisticated applications should set
     * this flag to false when it is not practical to use a PKIX service 
     * provider's default revocation checking mechanism or when an alternative 
     * revocation checking mechanism is to be substituted (by also calling the 
     * {@link #addCertPathChecker addCertPathChecker} or {@link 
     * #setCertPathCheckers setCertPathCheckers} methods).
     *
     * @param val the new value of the RevocationEnabled flag
     */
    public void setRevocationEnabled(boolean val) {
	revocationEnabled = val;
    }

    /**
     * Checks the RevocationEnabled flag. If this flag is true, the default
     * revocation checking mechanism of the underlying PKIX service provider 
     * will be used. If this flag is false, the default revocation checking 
     * mechanism will be disabled (not used). See the {@link 
     * #setRevocationEnabled setRevocationEnabled} method for more details on 
     * setting the value of this flag.
     *
     * @return the current value of the RevocationEnabled flag
     */
    public boolean isRevocationEnabled() {
	return revocationEnabled;
    }

    /**
     * Sets the ExplicitPolicyRequired flag. If this flag is true, an 
     * acceptable policy needs to be explicitly identified in every certificate.
     * By default, the ExplicitPolicyRequired flag is false.
     *
     * @param val <code>true</code> if explicit policy is to be required, 
     * <code>false</code> otherwise
     */
    public void setExplicitPolicyRequired(boolean val) {
	explicitPolicyRequired = val;
    }

    /**
     * Checks if explicit policy is required. If this flag is true, an 
     * acceptable policy needs to be explicitly identified in every certificate.
     * By default, the ExplicitPolicyRequired flag is false.
     *
     * @return <code>true</code> if explicit policy is required, 
     * <code>false</code> otherwise
     */
    public boolean isExplicitPolicyRequired() {
	return explicitPolicyRequired;
    }

    /**
     * Sets the PolicyMappingInhibited flag. If this flag is true, policy 
     * mapping is inhibited. By default, policy mapping is not inhibited (the
     * flag is false).
     *
     * @param val <code>true</code> if policy mapping is to be inhibited, 
     * <code>false</code> otherwise
     */
    public void setPolicyMappingInhibited(boolean val) {
	policyMappingInhibited = val;
    }

    /**
     * Checks if policy mapping is inhibited. If this flag is true, policy 
     * mapping is inhibited. By default, policy mapping is not inhibited (the
     * flag is false).
     *
     * @return true if policy mapping is inhibited, false otherwise
     */
    public boolean isPolicyMappingInhibited() {
	return policyMappingInhibited;
    }

    /**
     * Sets state to determine if the any policy OID should be processed
     * if it is included in a certificate. By default, the any policy OID 
     * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()} 
     * returns <code>false</code>).
     *
     * @param val <code>true</code> if the any policy OID is to be 
     * inhibited, <code>false</code> otherwise
     */
    public void setAnyPolicyInhibited(boolean val) {
	anyPolicyInhibited = val;
    }

    /**
     * Checks whether the any policy OID should be processed if it
     * is included in a certificate.
     *
     * @return <code>true</code> if the any policy OID is inhibited, 
     * <code>false</code> otherwise
     */
    public boolean isAnyPolicyInhibited() {
	return anyPolicyInhibited;
    }

    /**
     * Sets the PolicyQualifiersRejected flag. If this flag is true,
     * certificates that include policy qualifiers in a certificate
     * policies extension that is marked critical are rejected.
     * If the flag is false, certificates are not rejected on this basis.
     *
     * <p> When a <code>PKIXParameters</code> object is created, this flag is 
     * set to true. This setting reflects the most common (and simplest) 
     * strategy for processing policy qualifiers. Applications that want to use
     * a more sophisticated policy must set this flag to false.
     * <p>
     * Note that the PKIX certification path validation algorithm specifies
     * that any policy qualifier in a certificate policies extension that is 
     * marked critical must be processed and validated. Otherwise the 
     * certification path must be rejected. If the policyQualifiersRejected flag
     * is set to false, it is up to the application to validate all policy 
     * qualifiers in this manner in order to be PKIX compliant.
     *
     * @param qualifiersRejected the new value of the PolicyQualifiersRejected 
     * flag
     * @see #getPolicyQualifiersRejected
     * @see PolicyQualifierInfo
     */
    public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
	policyQualifiersRejected = qualifiersRejected;
    }

    /**
     * Gets the PolicyQualifiersRejected flag. If this flag is true,
     * certificates that include policy qualifiers in a certificate policies
     * extension that is marked critical are rejected.
     * If the flag is false, certificates are not rejected on this basis.
     *
     * <p> When a <code>PKIXParameters</code> object is created, this flag is 
     * set to true. This setting reflects the most common (and simplest) 
     * strategy for processing policy qualifiers. Applications that want to use
     * a more sophisticated policy must set this flag to false.
     *
     * @return the current value of the PolicyQualifiersRejected flag
     * @see #setPolicyQualifiersRejected
     */
    public boolean getPolicyQualifiersRejected() {
	return policyQualifiersRejected;
    }

    /**
     * Returns the time for which the validity of the certification path
     * should be determined. If <code>null</code>, the current time is used.
     * <p>
     * Note that the <code>Date</code> returned is copied to protect against 
     * subsequent modifications. 
     *
     * @return the <code>Date</code>, or <code>null</code> if not set
     * @see #setDate
     */
    public Date getDate() {
	if (date == null)
	    return null;
	else 
	    return (Date) this.date.clone();
    }

    /**
     * Sets the time for which the validity of the certification path
     * should be determined. If <code>null</code>, the current time is used.
     * <p>
     * Note that the <code>Date</code> supplied here is copied to protect 
     * against subsequent modifications. 
     *
     * @param date the <code>Date</code>, or <code>null</code> for the 
     * current time
     * @see #getDate
     */
    public void setDate(Date date) {
	if (date != null)
	    this.date = (Date) date.clone();
	else
	    date = null;
    }

    /**
     * Sets a <code>List</code> of additional certification path checkers. If 
     * the specified <code>List</code> contains an object that is not a
     * <code>PKIXCertPathChecker</code>, it is ignored.
     * <p>
     * Each <code>PKIXCertPathChecker</code> specified implements
     * additional checks on a certificate. Typically, these are checks to 
     * process and verify private extensions contained in certificates. 
     * Each <code>PKIXCertPathChecker</code> should be instantiated with any 
     * initialization parameters needed to execute the check.
     * <p>
     * This method allows sophisticated applications to extend a PKIX 
     * <code>CertPathValidator</code> or <code>CertPathBuilder</code>.
     * Each of the specified <code>PKIXCertPathChecker</code>s will be called, 
     * in turn, by a PKIX <code>CertPathValidator</code> or 
     * <code>CertPathBuilder</code> for each certificate processed or 
     * validated. 
     * <p>
     * Regardless of whether these additional <code>PKIXCertPathChecker</code>s 
     * are set, a PKIX <code>CertPathValidator</code> or 
     * <code>CertPathBuilder</code> must perform all of the required PKIX 
     * checks on each certificate. The one exception to this rule is if the 
     * RevocationEnabled flag is set to false (see the {@link 
     * #setRevocationEnabled setRevocationEnabled} method). 
     * <p>
     * Note that the <code>List</code> supplied here is copied and each 
     * <code>PKIXCertPathChecker</code> in the list is cloned to protect
     * against subsequent modifications.
     *
     * @param checkers a <code>List</code> of <code>PKIXCertPathChecker</code>s.
     * May be <code>null</code>, in which case no additional checkers will be
     * used.
     * @throws ClassCastException if any of the elements in the list
     * are not of type <code>java.security.cert.PKIXCertPathChecker</code>
     * @see #getCertPathCheckers
     */
    public void setCertPathCheckers(List checkers) {
	if (checkers != null) {
	    ArrayList tmpList = new ArrayList();
	    Iterator it = checkers.iterator();
	    while (it.hasNext()) {
		PKIXCertPathChecker ck = (PKIXCertPathChecker) it.next();
		tmpList.add(ck.clone());
	    }
	    this.certPathCheckers = tmpList;
	} else
	    this.certPathCheckers = new ArrayList();
    }

    /**
     * Returns the <code>List</code> of certification path checkers. 
     * The returned <code>List</code> is immutable, and each 
     * <code>PKIXCertPathChecker</code> in the <code>List</code> is cloned 
     * to protect against subsequent modifications.
     *
     * @return an immutable <code>List</code> of 
     * <code>PKIXCertPathChecker</code>s (may be empty, but not 
     * <code>null</code>)
     * @see #setCertPathCheckers
     */
    public List getCertPathCheckers() {
	ArrayList tmpList = new ArrayList();
	Iterator it = certPathCheckers.iterator();
        while (it.hasNext()) {
	    PKIXCertPathChecker ck = (PKIXCertPathChecker) it.next();
	    tmpList.add(ck.clone());
	}
	return Collections.unmodifiableList(tmpList);
    }

    /**
     * Adds a <code>PKIXCertPathChecker</code> to the list of certification 
     * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
     * method for more details.
     * <p>
     * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
     * against subsequent modifications.
     *
     * @param checker a <code>PKIXCertPathChecker</code> to add to the list of 
     * checks. If <code>null</code>, the checker is ignored (not added to list).
     */
    public void addCertPathChecker(PKIXCertPathChecker checker) {
	if (checker != null)
	    certPathCheckers.add(checker.clone());
    }

    /**
     * Returns the signature provider's name, or <code>null</code> 
     * if not set.
     *
     * @return the signature provider's name (or <code>null</code>)
     * @see #setSigProvider
     */
    public String getSigProvider() {
	return this.sigProvider;
    }

    /**
     * Sets the signature provider's name. The specified provider will be 
     * preferred when creating {@link java.security.Signature Signature} 
     * objects. If <code>null</code> or not set, the first provider found 
     * supporting the algorithm will be used.
     *
     * @param sigProvider the signature provider's name (or <code>null</code>)
     * @see #getSigProvider
    */
    public void setSigProvider(String sigProvider) {
	this.sigProvider = sigProvider;
    }

    /**
     * Returns the required constraints on the target certificate. 
     * The constraints are returned as an instance of <code>CertSelector</code>.
     * If <code>null</code>, no constraints are defined.
     *
     * <p>Note that the <code>CertSelector</code> returned is cloned
     * to protect against subsequent modifications.
     *
     * @return a <code>CertSelector</code> specifying the constraints 
     * on the target certificate (or <code>null</code>)
     * @see #setTargetCertConstraints
     */
    public CertSelector getTargetCertConstraints() {
	if (certSelector != null)
	    return (CertSelector) certSelector.clone();
	else
	    return null;
    }

    /**
     * Sets the required constraints on the target certificate.
     * The constraints are specified as an instance of 
     * <code>CertSelector</code>. If <code>null</code>, no constraints are 
     * defined.
     *
     * <p>Note that the <code>CertSelector</code> specified is cloned
     * to protect against subsequent modifications.
     *
     * @param selector a <code>CertSelector</code> specifying the constraints 
     * on the target certificate (or <code>null</code>)
     * @see #getTargetCertConstraints
     */
    public void setTargetCertConstraints(CertSelector selector) {
	if (selector != null)
	    certSelector = (CertSelector) selector.clone();
	else
	    certSelector = null;
    }

    /**
     * Makes a copy of this <code>PKIXParameters</code> object. Changes
     * to the copy will not affect the original and vice versa.
     *
     * @return a copy of this <code>PKIXParameters</code> object
     */
    public Object clone() {
        try {
            Object copy = super.clone();
	    // Must clone these because addCertStore, et al. modify them
	    if (certStores != null) {
		certStores = new ArrayList(certStores);
	    }
	    if (certPathCheckers != null) {	
	        certPathCheckers = new ArrayList(certPathCheckers);
	    }
	    return copy;
        } catch (CloneNotSupportedException e) {
            /* Cannot happen */
            throw new InternalError(e.toString());
        }
    }

    /**
     * Returns a formatted string describing the parameters.
     *
     * @return a formatted string describing the parameters.
     */
    public String toString() {
	StringBuffer sb = new StringBuffer();
	sb.append("[\n");

	/* start with trusted anchor info */
	if (unmodTrustAnchors != null) {
	    sb.append("  Trust Anchors: " + unmodTrustAnchors.toString() 
		+ "\n");
	}

	/* now, append initial state information */
        if (unmodInitialPolicies != null) {
	    if (unmodInitialPolicies.isEmpty()) {
	        sb.append("  Initial Policy OIDs: any\n");
	    } else {
	        sb.append("  Initial Policy OIDs: [" 
		    + unmodInitialPolicies.toString() + "]\n");
	    }
        }

	/* now, append constraints on all certificates in the path */
        sb.append("  Validity Date: " + String.valueOf(date) + "\n");
        sb.append("  Signature Provider: " + String.valueOf(sigProvider) + "\n");
	sb.append("  Default Revocation Enabled: " + revocationEnabled + "\n");
	sb.append("  Explicit Policy Required: " + explicitPolicyRequired + "\n");
	sb.append("  Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
	sb.append("  Any Policy Inhibited: " + anyPolicyInhibited + "\n");
	sb.append("  Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");
	
	/* now, append target cert requirements */
        sb.append("  Target Cert Constraints: " + String.valueOf(certSelector) + "\n");

	/* finally, append miscellaneous parameters */
	if (certPathCheckers != null)
	    sb.append("  Certification Path Checkers: [" 
		+ certPathCheckers.toString() + "]\n");
	if (certStores != null)
	    sb.append("  CertStores: [" + certStores.toString() + "]\n");
	sb.append("]");
	return sb.toString();
    }
}