1. /*

  2.  * @(#)PKIXBuilderParameters.java	1.15 03/12/19

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.security.cert;

  9. 

  10. import java.security.KeyStore;

  11. import java.security.KeyStoreException;

  12. import java.security.InvalidAlgorithmParameterException;

  13. import java.security.InvalidParameterException;

  14. import java.util.Set;

  15. 

  16. /**

  17.  * Parameters used as input for the PKIX <code>CertPathBuilder</code> 

  18.  * algorithm.

  19.  * <p>

  20.  * A PKIX <code>CertPathBuilder</code> uses these parameters to {@link 

  21.  * CertPathBuilder#build build} a <code>CertPath</code> which has been 

  22.  * validated according to the PKIX certification path validation algorithm.

  23.  *

  24.  * <p>To instantiate a <code>PKIXBuilderParameters</code> object, an

  25.  * application must specify one or more <i>most-trusted CAs</i> as defined by

  26.  * the PKIX certification path validation algorithm. The most-trusted CA 

  27.  * can be specified using one of two constructors. An application 

  28.  * can call {@link #PKIXBuilderParameters(Set, CertSelector) 

  29.  * PKIXBuilderParameters(Set, CertSelector)}, specifying a 

  30.  * <code>Set</code> of <code>TrustAnchor</code> objects, each of which 

  31.  * identifies a most-trusted CA. Alternatively, an application can call 

  32.  * {@link #PKIXBuilderParameters(KeyStore, CertSelector)

  33.  * PKIXBuilderParameters(KeyStore, CertSelector)}, specifying a 

  34.  * <code>KeyStore</code> instance containing trusted certificate entries, each 

  35.  * of which will be considered as a most-trusted CA.

  36.  *

  37.  * <p>In addition, an application must specify constraints on the target 

  38.  * certificate that the <code>CertPathBuilder</code> will attempt 

  39.  * to build a path to. The constraints are specified as a 

  40.  * <code>CertSelector</code> object. These constraints should provide the 

  41.  * <code>CertPathBuilder</code> with enough search criteria to find the target 

  42.  * certificate. Minimal criteria for an <code>X509Certificate</code> usually 

  43.  * include the subject name and/or one or more subject alternative names.

  44.  * If enough criteria is not specified, the <code>CertPathBuilder</code> 

  45.  * may throw a <code>CertPathBuilderException</code>.

  46.  * <p>

  47.  * <b>Concurrent Access</b>

  48.  * <p>

  49.  * Unless otherwise specified, the methods defined in this class are not

  50.  * thread-safe. Multiple threads that need to access a single

  51.  * object concurrently should synchronize amongst themselves and

  52.  * provide the necessary locking. Multiple threads each manipulating

  53.  * separate objects need not synchronize.

  54.  *

  55.  * @see CertPathBuilder

  56.  * 

  57.  * @version 	1.15 12/19/03

  58.  * @since 	1.4

  59.  * @author	Sean Mullan

  60.  */

  61. public class PKIXBuilderParameters extends PKIXParameters {

  62. 

  63.     private int maxPathLength = 5;

  64. 

  65.     /**

  66.      * Creates an instance of <code>PKIXBuilderParameters</code> with

  67.      * the specified <code>Set</code> of most-trusted CAs. 

  68.      * Each element of the set is a {@link TrustAnchor TrustAnchor}.

  69.      *

  70.      * <p>Note that the <code>Set</code> is copied to protect against

  71.      * subsequent modifications.

  72.      *

  73.      * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s

  74.      * @param targetConstraints a <code>CertSelector</code> specifying the 

  75.      * constraints on the target certificate 

  76.      * @throws InvalidAlgorithmParameterException if <code>trustAnchors</code> 

  77.      * is empty <code>(trustAnchors.isEmpty() == true)</code>

  78.      * @throws NullPointerException if <code>trustAnchors</code> is 

  79.      * <code>null</code>

  80.      * @throws ClassCastException if any of the elements of

  81.      * <code>trustAnchors</code> are not of type 

  82.      * <code>java.security.cert.TrustAnchor</code>

  83.      */

  84.     public PKIXBuilderParameters(Set<TrustAnchor> trustAnchors, CertSelector 

  85. 	targetConstraints) throws InvalidAlgorithmParameterException

  86.     {

  87.         super(trustAnchors);

  88. 	setTargetCertConstraints(targetConstraints);

  89.     }

  90. 

  91.     /**

  92.      * Creates an instance of <code>PKIXBuilderParameters</code> that

  93.      * populates the set of most-trusted CAs from the trusted

  94.      * certificate entries contained in the specified <code>KeyStore</code>.

  95.      * Only keystore entries that contain trusted <code>X509Certificate</code>s

  96.      * are considered; all other certificate types are ignored.

  97.      *

  98.      * @param keystore a <code>KeyStore</code> from which the set of 

  99.      * most-trusted CAs will be populated

  100.      * @param targetConstraints a <code>CertSelector</code> specifying the 

  101.      * constraints on the target certificate 

  102.      * @throws KeyStoreException if <code>keystore</code> has not been 

  103.      * initialized

  104.      * @throws InvalidAlgorithmParameterException if <code>keystore</code> does

  105.      * not contain at least one trusted certificate entry

  106.      * @throws NullPointerException if <code>keystore</code> is 

  107.      * <code>null</code>

  108.      */

  109.     public PKIXBuilderParameters(KeyStore keystore, 

  110.         CertSelector targetConstraints) 

  111.         throws KeyStoreException, InvalidAlgorithmParameterException 

  112.     {

  113. 	super(keystore);

  114. 	setTargetCertConstraints(targetConstraints);

  115.     }

  116. 

  117.     /**

  118.      * Sets the value of the maximum number of non-self-issued intermediate

  119.      * certificates that may exist in a certification path. A certificate

  120.      * is self-issued if the DNs that appear in the subject and issuer

  121.      * fields are identical and are not empty. Note that the last certificate

  122.      * in a certification path is not an intermediate certificate, and is not

  123.      * included in this limit. Usually the last certificate is an end entity

  124.      * certificate, but it can be a CA certificate. A PKIX 

  125.      * <code>CertPathBuilder</code> instance must not build 

  126.      * paths longer than the length specified.

  127.      *

  128.      * <p> A value of 0 implies that the path can only contain

  129.      * a single certificate. A value of -1 implies that the

  130.      * path length is unconstrained (i.e. there is no maximum).

  131.      * The default maximum path length, if not specified, is 5.

  132.      * Setting a value less than -1 will cause an exception to be thrown.

  133.      *

  134.      * <p> If any of the CA certificates contain the 

  135.      * <code>BasicConstraintsExtension</code>, the value of the

  136.      * <code>pathLenConstraint</code> field of the extension overrides

  137.      * the maximum path length parameter whenever the result is a

  138.      * certification path of smaller length.

  139.      *

  140.      * @param maxPathLength the maximum number of non-self-issued intermediate

  141.      *  certificates that may exist in a certification path

  142.      * @throws InvalidParameterException if <code>maxPathLength</code> is set 

  143.      *  to a value less than -1

  144.      *

  145.      * @see #getMaxPathLength

  146.      */

  147.     public void setMaxPathLength(int maxPathLength) {

  148. 	if (maxPathLength < -1) {

  149. 	    throw new InvalidParameterException("the maximum path "

  150. 		+ "length parameter can not be less than -1");

  151. 	}

  152. 	this.maxPathLength = maxPathLength;

  153.     }

  154. 

  155.     /**

  156.      * Returns the value of the maximum number of intermediate non-self-issued

  157.      * certificates that may exist in a certification path. See

  158.      * the {@link #setMaxPathLength} method for more details.

  159.      *

  160.      * @return the maximum number of non-self-issued intermediate certificates 

  161.      *  that may exist in a certification path, or -1 if there is no limit

  162.      *

  163.      * @see #setMaxPathLength

  164.      */

  165.     public int getMaxPathLength() {

  166.         return maxPathLength;

  167.     }

  168. 

  169.     /**

  170.      * Returns a formatted string describing the parameters.

  171.      *

  172.      * @return a formatted string describing the parameters

  173.      */

  174.     public String toString() {

  175.         StringBuffer sb = new StringBuffer();

  176.         sb.append("[\n");

  177. 	sb.append(super.toString());

  178. 	sb.append("  Maximum Path Length: " + maxPathLength + "\n");

  179. 	sb.append("]\n");

  180. 	return sb.toString();

  181.     }

  182. }