1. /*
  2. * @(#)PKIXParameters.java 1.17 03/12/19
  3. *
  4. * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
  5. * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  6. */
  7. package java.security.cert;
  8. import java.security.InvalidAlgorithmParameterException;
  9. import java.security.KeyStore;
  10. import java.security.KeyStoreException;
  11. import java.util.ArrayList;
  12. import java.util.Collections;
  13. import java.util.Date;
  14. import java.util.Enumeration;
  15. import java.util.HashSet;
  16. import java.util.Iterator;
  17. import java.util.List;
  18. import java.util.Set;
  19. /**
  20. * Parameters used as input for the PKIX <code>CertPathValidator</code>
  21. * algorithm.
  22. * <p>
  23. * A PKIX <code>CertPathValidator</code> uses these parameters to
  24. * validate a <code>CertPath</code> according to the PKIX certification path
  25. * validation algorithm.
  26. *
  27. * <p>To instantiate a <code>PKIXParameters</code> object, an
  28. * application must specify one or more <i>most-trusted CAs</i> as defined by
  29. * the PKIX certification path validation algorithm. The most-trusted CAs
  30. * can be specified using one of two constructors. An application
  31. * can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
  32. * specifying a <code>Set</code> of <code>TrustAnchor</code> objects, each
  33. * of which identify a most-trusted CA. Alternatively, an application can call
  34. * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
  35. * <code>KeyStore</code> instance containing trusted certificate entries, each
  36. * of which will be considered as a most-trusted CA.
  37. * <p>
  38. * Once a <code>PKIXParameters</code> object has been created, other parameters
  39. * can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
  40. * or {@link #setDate setDate}, for instance) and then the
  41. * <code>PKIXParameters</code> is passed along with the <code>CertPath</code>
  42. * to be validated to {@link CertPathValidator#validate
  43. * CertPathValidator.validate}.
  44. * <p>
  45. * Any parameter that is not set (or is set to <code>null</code>) will
  46. * be set to the default value for that parameter. The default value for the
  47. * <code>date</code> parameter is <code>null</code>, which indicates
  48. * the current time when the path is validated. The default for the
  49. * remaining parameters is the least constrained.
  50. * <p>
  51. * <b>Concurrent Access</b>
  52. * <p>
  53. * Unless otherwise specified, the methods defined in this class are not
  54. * thread-safe. Multiple threads that need to access a single
  55. * object concurrently should synchronize amongst themselves and
  56. * provide the necessary locking. Multiple threads each manipulating
  57. * separate objects need not synchronize.
  58. *
  59. * @see CertPathValidator
  60. *
  61. * @version 1.17 12/19/03
  62. * @since 1.4
  63. * @author Sean Mullan
  64. * @author Yassir Elley
  65. */
  66. public class PKIXParameters implements CertPathParameters {
  67. private Set<TrustAnchor> unmodTrustAnchors;
  68. private Date date;
  69. private List<PKIXCertPathChecker> certPathCheckers;
  70. private String sigProvider;
  71. private boolean revocationEnabled = true;
  72. private Set<String> unmodInitialPolicies;
  73. private boolean explicitPolicyRequired = false;
  74. private boolean policyMappingInhibited = false;
  75. private boolean anyPolicyInhibited = false;
  76. private boolean policyQualifiersRejected = true;
  77. private List<CertStore> certStores;
  78. private CertSelector certSelector;
  79. /**
  80. * Creates an instance of <code>PKIXParameters</code> with the specified
  81. * <code>Set</code> of most-trusted CAs. Each element of the
  82. * set is a {@link TrustAnchor TrustAnchor}.
  83. * <p>
  84. * Note that the <code>Set</code> is copied to protect against
  85. * subsequent modifications.
  86. *
  87. * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
  88. * @throws InvalidAlgorithmParameterException if the specified
  89. * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
  90. * @throws NullPointerException if the specified <code>Set</code> is
  91. * <code>null</code>
  92. * @throws ClassCastException if any of the elements in the <code>Set</code>
  93. * are not of type <code>java.security.cert.TrustAnchor</code>
  94. */
  95. public PKIXParameters(Set<TrustAnchor> trustAnchors)
  96. throws InvalidAlgorithmParameterException
  97. {
  98. setTrustAnchors(trustAnchors);
  99. this.unmodInitialPolicies = Collections.<String>emptySet();
  100. this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
  101. this.certStores = new ArrayList<CertStore>();
  102. }
  103. /**
  104. * Creates an instance of <code>PKIXParameters</code> that
  105. * populates the set of most-trusted CAs from the trusted
  106. * certificate entries contained in the specified <code>KeyStore</code>.
  107. * Only keystore entries that contain trusted <code>X509Certificates</code>
  108. * are considered; all other certificate types are ignored.
  109. *
  110. * @param keystore a <code>KeyStore</code> from which the set of
  111. * most-trusted CAs will be populated
  112. * @throws KeyStoreException if the keystore has not been initialized
  113. * @throws InvalidAlgorithmParameterException if the keystore does
  114. * not contain at least one trusted certificate entry
  115. * @throws NullPointerException if the keystore is <code>null</code>
  116. */
  117. public PKIXParameters(KeyStore keystore)
  118. throws KeyStoreException, InvalidAlgorithmParameterException
  119. {
  120. if (keystore == null)
  121. throw new NullPointerException("the keystore parameter must be " +
  122. "non-null");
  123. Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
  124. Enumeration aliases = keystore.aliases();
  125. while (aliases.hasMoreElements()) {
  126. String alias = (String) aliases.nextElement();
  127. if (keystore.isCertificateEntry(alias)) {
  128. Certificate cert = keystore.getCertificate(alias);
  129. if (cert instanceof X509Certificate)
  130. hashSet.add(new TrustAnchor((X509Certificate)cert, null));
  131. }
  132. }
  133. setTrustAnchors(hashSet);
  134. this.unmodInitialPolicies = Collections.<String>emptySet();
  135. this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
  136. this.certStores = new ArrayList<CertStore>();
  137. }
  138. /**
  139. * Returns an immutable <code>Set</code> of the most-trusted
  140. * CAs.
  141. *
  142. * @return an immutable <code>Set</code> of <code>TrustAnchor</code>s
  143. * (never <code>null</code>)
  144. *
  145. * @see #setTrustAnchors
  146. */
  147. public Set<TrustAnchor> getTrustAnchors() {
  148. return this.unmodTrustAnchors;
  149. }
  150. /**
  151. * Sets the <code>Set</code> of most-trusted CAs.
  152. * <p>
  153. * Note that the <code>Set</code> is copied to protect against
  154. * subsequent modifications.
  155. *
  156. * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
  157. * @throws InvalidAlgorithmParameterException if the specified
  158. * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
  159. * @throws NullPointerException if the specified <code>Set</code> is
  160. * <code>null</code>
  161. * @throws ClassCastException if any of the elements in the set
  162. * are not of type <code>java.security.cert.TrustAnchor</code>
  163. *
  164. * @see #getTrustAnchors
  165. */
  166. public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
  167. throws InvalidAlgorithmParameterException
  168. {
  169. if (trustAnchors == null) {
  170. throw new NullPointerException("the trustAnchors parameters must" +
  171. " be non-null");
  172. }
  173. if (trustAnchors.isEmpty()) {
  174. throw new InvalidAlgorithmParameterException("the trustAnchors " +
  175. "parameter must be non-empty");
  176. }
  177. for (Iterator i = trustAnchors.iterator(); i.hasNext(); ) {
  178. if (!(i.next() instanceof TrustAnchor)) {
  179. throw new ClassCastException("all elements of set must be "
  180. + "of type java.security.cert.TrustAnchor");
  181. }
  182. }
  183. this.unmodTrustAnchors = Collections.unmodifiableSet
  184. (new HashSet<TrustAnchor>(trustAnchors));
  185. }
  186. /**
  187. * Returns an immutable <code>Set</code> of initial
  188. * policy identifiers (OID strings), indicating that any one of these
  189. * policies would be acceptable to the certificate user for the purposes of
  190. * certification path processing. The default return value is an empty
  191. * <code>Set</code>, which is interpreted as meaning that any policy would
  192. * be acceptable.
  193. *
  194. * @return an immutable <code>Set</code> of initial policy OIDs in
  195. * <code>String</code> format, or an empty <code>Set</code> (implying any
  196. * policy is acceptable). Never returns <code>null</code>.
  197. *
  198. * @see #setInitialPolicies
  199. */
  200. public Set<String> getInitialPolicies() {
  201. return this.unmodInitialPolicies;
  202. }
  203. /**
  204. * Sets the <code>Set</code> of initial policy identifiers
  205. * (OID strings), indicating that any one of these
  206. * policies would be acceptable to the certificate user for the purposes of
  207. * certification path processing. By default, any policy is acceptable
  208. * (i.e. all policies), so a user that wants to allow any policy as
  209. * acceptable does not need to call this method, or can call it
  210. * with an empty <code>Set</code> (or <code>null</code>).
  211. * <p>
  212. * Note that the <code>Set</code> is copied to protect against
  213. * subsequent modifications.
  214. *
  215. * @param initialPolicies a <code>Set</code> of initial policy
  216. * OIDs in <code>String</code> format (or <code>null</code>)
  217. * @throws ClassCastException if any of the elements in the set are
  218. * not of type <code>String</code>
  219. *
  220. * @see #getInitialPolicies
  221. */
  222. public void setInitialPolicies(Set<String> initialPolicies) {
  223. if (initialPolicies != null) {
  224. for (Iterator i = initialPolicies.iterator(); i.hasNext();) {
  225. if (!(i.next() instanceof String))
  226. throw new ClassCastException("all elements of set must be "
  227. + "of type java.lang.String");
  228. }
  229. this.unmodInitialPolicies =
  230. Collections.unmodifiableSet(new HashSet<String>(initialPolicies));
  231. } else
  232. this.unmodInitialPolicies = Collections.<String>emptySet();
  233. }
  234. /**
  235. * Sets the list of <code>CertStore</code>s to be used in finding
  236. * certificates and CRLs. May be <code>null</code>, in which case
  237. * no <code>CertStore</code>s will be used. The first
  238. * <code>CertStore</code>s in the list may be preferred to those that
  239. * appear later.
  240. * <p>
  241. * Note that the <code>List</code> is copied to protect against
  242. * subsequent modifications.
  243. *
  244. * @param stores a <code>List</code> of <code>CertStore</code>s (or
  245. * <code>null</code>)
  246. * @throws ClassCastException if any of the elements in the list are
  247. * not of type <code>java.security.cert.CertStore</code>
  248. *
  249. * @see #getCertStores
  250. */
  251. public void setCertStores(List<CertStore> stores) {
  252. if (stores == null) {
  253. this.certStores = new ArrayList<CertStore>();
  254. } else {
  255. for (Iterator i = stores.iterator(); i.hasNext();) {
  256. if (!(i.next() instanceof CertStore)) {
  257. throw new ClassCastException("all elements of list must be "
  258. + "of type java.security.cert.CertStore");
  259. }
  260. }
  261. this.certStores = new ArrayList<CertStore>(stores);
  262. }
  263. }
  264. /**
  265. * Adds a <code>CertStore</code> to the end of the list of
  266. * <code>CertStore</code>s used in finding certificates and CRLs.
  267. *
  268. * @param store the <code>CertStore</code> to add. If <code>null</code>,
  269. * the store is ignored (not added to list).
  270. */
  271. public void addCertStore(CertStore store) {
  272. if (store != null) {
  273. this.certStores.add(store);
  274. }
  275. }
  276. /**
  277. * Returns an immutable <code>List</code> of <code>CertStore</code>s that
  278. * are used to find certificates and CRLs.
  279. *
  280. * @return an immutable <code>List</code> of <code>CertStore</code>s
  281. * (may be empty, but never <code>null</code>)
  282. *
  283. * @see #setCertStores
  284. */
  285. public List<CertStore> getCertStores() {
  286. return Collections.unmodifiableList
  287. (new ArrayList<CertStore>(this.certStores));
  288. }
  289. /**
  290. * Sets the RevocationEnabled flag. If this flag is true, the default
  291. * revocation checking mechanism of the underlying PKIX service provider
  292. * will be used. If this flag is false, the default revocation checking
  293. * mechanism will be disabled (not used).
  294. * <p>
  295. * When a <code>PKIXParameters</code> object is created, this flag is set
  296. * to true. This setting reflects the most common strategy for checking
  297. * revocation, since each service provider must support revocation
  298. * checking to be PKIX compliant. Sophisticated applications should set
  299. * this flag to false when it is not practical to use a PKIX service
  300. * provider's default revocation checking mechanism or when an alternative
  301. * revocation checking mechanism is to be substituted (by also calling the
  302. * {@link #addCertPathChecker addCertPathChecker} or {@link
  303. * #setCertPathCheckers setCertPathCheckers} methods).
  304. *
  305. * @param val the new value of the RevocationEnabled flag
  306. */
  307. public void setRevocationEnabled(boolean val) {
  308. revocationEnabled = val;
  309. }
  310. /**
  311. * Checks the RevocationEnabled flag. If this flag is true, the default
  312. * revocation checking mechanism of the underlying PKIX service provider
  313. * will be used. If this flag is false, the default revocation checking
  314. * mechanism will be disabled (not used). See the {@link
  315. * #setRevocationEnabled setRevocationEnabled} method for more details on
  316. * setting the value of this flag.
  317. *
  318. * @return the current value of the RevocationEnabled flag
  319. */
  320. public boolean isRevocationEnabled() {
  321. return revocationEnabled;
  322. }
  323. /**
  324. * Sets the ExplicitPolicyRequired flag. If this flag is true, an
  325. * acceptable policy needs to be explicitly identified in every certificate.
  326. * By default, the ExplicitPolicyRequired flag is false.
  327. *
  328. * @param val <code>true</code> if explicit policy is to be required,
  329. * <code>false</code> otherwise
  330. */
  331. public void setExplicitPolicyRequired(boolean val) {
  332. explicitPolicyRequired = val;
  333. }
  334. /**
  335. * Checks if explicit policy is required. If this flag is true, an
  336. * acceptable policy needs to be explicitly identified in every certificate.
  337. * By default, the ExplicitPolicyRequired flag is false.
  338. *
  339. * @return <code>true</code> if explicit policy is required,
  340. * <code>false</code> otherwise
  341. */
  342. public boolean isExplicitPolicyRequired() {
  343. return explicitPolicyRequired;
  344. }
  345. /**
  346. * Sets the PolicyMappingInhibited flag. If this flag is true, policy
  347. * mapping is inhibited. By default, policy mapping is not inhibited (the
  348. * flag is false).
  349. *
  350. * @param val <code>true</code> if policy mapping is to be inhibited,
  351. * <code>false</code> otherwise
  352. */
  353. public void setPolicyMappingInhibited(boolean val) {
  354. policyMappingInhibited = val;
  355. }
  356. /**
  357. * Checks if policy mapping is inhibited. If this flag is true, policy
  358. * mapping is inhibited. By default, policy mapping is not inhibited (the
  359. * flag is false).
  360. *
  361. * @return true if policy mapping is inhibited, false otherwise
  362. */
  363. public boolean isPolicyMappingInhibited() {
  364. return policyMappingInhibited;
  365. }
  366. /**
  367. * Sets state to determine if the any policy OID should be processed
  368. * if it is included in a certificate. By default, the any policy OID
  369. * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
  370. * returns <code>false</code>).
  371. *
  372. * @param val <code>true</code> if the any policy OID is to be
  373. * inhibited, <code>false</code> otherwise
  374. */
  375. public void setAnyPolicyInhibited(boolean val) {
  376. anyPolicyInhibited = val;
  377. }
  378. /**
  379. * Checks whether the any policy OID should be processed if it
  380. * is included in a certificate.
  381. *
  382. * @return <code>true</code> if the any policy OID is inhibited,
  383. * <code>false</code> otherwise
  384. */
  385. public boolean isAnyPolicyInhibited() {
  386. return anyPolicyInhibited;
  387. }
  388. /**
  389. * Sets the PolicyQualifiersRejected flag. If this flag is true,
  390. * certificates that include policy qualifiers in a certificate
  391. * policies extension that is marked critical are rejected.
  392. * If the flag is false, certificates are not rejected on this basis.
  393. *
  394. * <p> When a <code>PKIXParameters</code> object is created, this flag is
  395. * set to true. This setting reflects the most common (and simplest)
  396. * strategy for processing policy qualifiers. Applications that want to use
  397. * a more sophisticated policy must set this flag to false.
  398. * <p>
  399. * Note that the PKIX certification path validation algorithm specifies
  400. * that any policy qualifier in a certificate policies extension that is
  401. * marked critical must be processed and validated. Otherwise the
  402. * certification path must be rejected. If the policyQualifiersRejected flag
  403. * is set to false, it is up to the application to validate all policy
  404. * qualifiers in this manner in order to be PKIX compliant.
  405. *
  406. * @param qualifiersRejected the new value of the PolicyQualifiersRejected
  407. * flag
  408. * @see #getPolicyQualifiersRejected
  409. * @see PolicyQualifierInfo
  410. */
  411. public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
  412. policyQualifiersRejected = qualifiersRejected;
  413. }
  414. /**
  415. * Gets the PolicyQualifiersRejected flag. If this flag is true,
  416. * certificates that include policy qualifiers in a certificate policies
  417. * extension that is marked critical are rejected.
  418. * If the flag is false, certificates are not rejected on this basis.
  419. *
  420. * <p> When a <code>PKIXParameters</code> object is created, this flag is
  421. * set to true. This setting reflects the most common (and simplest)
  422. * strategy for processing policy qualifiers. Applications that want to use
  423. * a more sophisticated policy must set this flag to false.
  424. *
  425. * @return the current value of the PolicyQualifiersRejected flag
  426. * @see #setPolicyQualifiersRejected
  427. */
  428. public boolean getPolicyQualifiersRejected() {
  429. return policyQualifiersRejected;
  430. }
  431. /**
  432. * Returns the time for which the validity of the certification path
  433. * should be determined. If <code>null</code>, the current time is used.
  434. * <p>
  435. * Note that the <code>Date</code> returned is copied to protect against
  436. * subsequent modifications.
  437. *
  438. * @return the <code>Date</code>, or <code>null</code> if not set
  439. * @see #setDate
  440. */
  441. public Date getDate() {
  442. if (date == null)
  443. return null;
  444. else
  445. return (Date) this.date.clone();
  446. }
  447. /**
  448. * Sets the time for which the validity of the certification path
  449. * should be determined. If <code>null</code>, the current time is used.
  450. * <p>
  451. * Note that the <code>Date</code> supplied here is copied to protect
  452. * against subsequent modifications.
  453. *
  454. * @param date the <code>Date</code>, or <code>null</code> for the
  455. * current time
  456. * @see #getDate
  457. */
  458. public void setDate(Date date) {
  459. if (date != null)
  460. this.date = (Date) date.clone();
  461. else
  462. date = null;
  463. }
  464. /**
  465. * Sets a <code>List</code> of additional certification path checkers. If
  466. * the specified <code>List</code> contains an object that is not a
  467. * <code>PKIXCertPathChecker</code>, it is ignored.
  468. * <p>
  469. * Each <code>PKIXCertPathChecker</code> specified implements
  470. * additional checks on a certificate. Typically, these are checks to
  471. * process and verify private extensions contained in certificates.
  472. * Each <code>PKIXCertPathChecker</code> should be instantiated with any
  473. * initialization parameters needed to execute the check.
  474. * <p>
  475. * This method allows sophisticated applications to extend a PKIX
  476. * <code>CertPathValidator</code> or <code>CertPathBuilder</code>.
  477. * Each of the specified <code>PKIXCertPathChecker</code>s will be called,
  478. * in turn, by a PKIX <code>CertPathValidator</code> or
  479. * <code>CertPathBuilder</code> for each certificate processed or
  480. * validated.
  481. * <p>
  482. * Regardless of whether these additional <code>PKIXCertPathChecker</code>s
  483. * are set, a PKIX <code>CertPathValidator</code> or
  484. * <code>CertPathBuilder</code> must perform all of the required PKIX
  485. * checks on each certificate. The one exception to this rule is if the
  486. * RevocationEnabled flag is set to false (see the {@link
  487. * #setRevocationEnabled setRevocationEnabled} method).
  488. * <p>
  489. * Note that the <code>List</code> supplied here is copied and each
  490. * <code>PKIXCertPathChecker</code> in the list is cloned to protect
  491. * against subsequent modifications.
  492. *
  493. * @param checkers a <code>List</code> of <code>PKIXCertPathChecker</code>s.
  494. * May be <code>null</code>, in which case no additional checkers will be
  495. * used.
  496. * @throws ClassCastException if any of the elements in the list
  497. * are not of type <code>java.security.cert.PKIXCertPathChecker</code>
  498. * @see #getCertPathCheckers
  499. */
  500. public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
  501. if (checkers != null) {
  502. List<PKIXCertPathChecker> tmpList =
  503. new ArrayList<PKIXCertPathChecker>();
  504. for (PKIXCertPathChecker checker : checkers) {
  505. tmpList.add((PKIXCertPathChecker)checker.clone());
  506. }
  507. this.certPathCheckers = tmpList;
  508. } else {
  509. this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
  510. }
  511. }
  512. /**
  513. * Returns the <code>List</code> of certification path checkers.
  514. * The returned <code>List</code> is immutable, and each
  515. * <code>PKIXCertPathChecker</code> in the <code>List</code> is cloned
  516. * to protect against subsequent modifications.
  517. *
  518. * @return an immutable <code>List</code> of
  519. * <code>PKIXCertPathChecker</code>s (may be empty, but not
  520. * <code>null</code>)
  521. * @see #setCertPathCheckers
  522. */
  523. public List<PKIXCertPathChecker> getCertPathCheckers() {
  524. List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
  525. for (PKIXCertPathChecker ck : certPathCheckers) {
  526. tmpList.add((PKIXCertPathChecker)ck.clone());
  527. }
  528. return Collections.unmodifiableList(tmpList);
  529. }
  530. /**
  531. * Adds a <code>PKIXCertPathChecker</code> to the list of certification
  532. * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
  533. * method for more details.
  534. * <p>
  535. * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
  536. * against subsequent modifications.
  537. *
  538. * @param checker a <code>PKIXCertPathChecker</code> to add to the list of
  539. * checks. If <code>null</code>, the checker is ignored (not added to list).
  540. */
  541. public void addCertPathChecker(PKIXCertPathChecker checker) {
  542. if (checker != null) {
  543. certPathCheckers.add((PKIXCertPathChecker)checker.clone());
  544. }
  545. }
  546. /**
  547. * Returns the signature provider's name, or <code>null</code>
  548. * if not set.
  549. *
  550. * @return the signature provider's name (or <code>null</code>)
  551. * @see #setSigProvider
  552. */
  553. public String getSigProvider() {
  554. return this.sigProvider;
  555. }
  556. /**
  557. * Sets the signature provider's name. The specified provider will be
  558. * preferred when creating {@link java.security.Signature Signature}
  559. * objects. If <code>null</code> or not set, the first provider found
  560. * supporting the algorithm will be used.
  561. *
  562. * @param sigProvider the signature provider's name (or <code>null</code>)
  563. * @see #getSigProvider
  564. */
  565. public void setSigProvider(String sigProvider) {
  566. this.sigProvider = sigProvider;
  567. }
  568. /**
  569. * Returns the required constraints on the target certificate.
  570. * The constraints are returned as an instance of <code>CertSelector</code>.
  571. * If <code>null</code>, no constraints are defined.
  572. *
  573. * <p>Note that the <code>CertSelector</code> returned is cloned
  574. * to protect against subsequent modifications.
  575. *
  576. * @return a <code>CertSelector</code> specifying the constraints
  577. * on the target certificate (or <code>null</code>)
  578. * @see #setTargetCertConstraints
  579. */
  580. public CertSelector getTargetCertConstraints() {
  581. if (certSelector != null) {
  582. return (CertSelector) certSelector.clone();
  583. } else {
  584. return null;
  585. }
  586. }
  587. /**
  588. * Sets the required constraints on the target certificate.
  589. * The constraints are specified as an instance of
  590. * <code>CertSelector</code>. If <code>null</code>, no constraints are
  591. * defined.
  592. *
  593. * <p>Note that the <code>CertSelector</code> specified is cloned
  594. * to protect against subsequent modifications.
  595. *
  596. * @param selector a <code>CertSelector</code> specifying the constraints
  597. * on the target certificate (or <code>null</code>)
  598. * @see #getTargetCertConstraints
  599. */
  600. public void setTargetCertConstraints(CertSelector selector) {
  601. if (selector != null)
  602. certSelector = (CertSelector) selector.clone();
  603. else
  604. certSelector = null;
  605. }
  606. /**
  607. * Makes a copy of this <code>PKIXParameters</code> object. Changes
  608. * to the copy will not affect the original and vice versa.
  609. *
  610. * @return a copy of this <code>PKIXParameters</code> object
  611. */
  612. public Object clone() {
  613. try {
  614. Object copy = super.clone();
  615. // Must clone these because addCertStore, et al. modify them
  616. if (certStores != null) {
  617. certStores = new ArrayList<CertStore>(certStores);
  618. }
  619. if (certPathCheckers != null) {
  620. certPathCheckers =
  621. new ArrayList<PKIXCertPathChecker>(certPathCheckers);
  622. }
  623. return copy;
  624. } catch (CloneNotSupportedException e) {
  625. /* Cannot happen */
  626. throw new InternalError(e.toString());
  627. }
  628. }
  629. /**
  630. * Returns a formatted string describing the parameters.
  631. *
  632. * @return a formatted string describing the parameters.
  633. */
  634. public String toString() {
  635. StringBuffer sb = new StringBuffer();
  636. sb.append("[\n");
  637. /* start with trusted anchor info */
  638. if (unmodTrustAnchors != null) {
  639. sb.append(" Trust Anchors: " + unmodTrustAnchors.toString()
  640. + "\n");
  641. }
  642. /* now, append initial state information */
  643. if (unmodInitialPolicies != null) {
  644. if (unmodInitialPolicies.isEmpty()) {
  645. sb.append(" Initial Policy OIDs: any\n");
  646. } else {
  647. sb.append(" Initial Policy OIDs: ["
  648. + unmodInitialPolicies.toString() + "]\n");
  649. }
  650. }
  651. /* now, append constraints on all certificates in the path */
  652. sb.append(" Validity Date: " + String.valueOf(date) + "\n");
  653. sb.append(" Signature Provider: " + String.valueOf(sigProvider) + "\n");
  654. sb.append(" Default Revocation Enabled: " + revocationEnabled + "\n");
  655. sb.append(" Explicit Policy Required: " + explicitPolicyRequired + "\n");
  656. sb.append(" Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
  657. sb.append(" Any Policy Inhibited: " + anyPolicyInhibited + "\n");
  658. sb.append(" Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");
  659. /* now, append target cert requirements */
  660. sb.append(" Target Cert Constraints: " + String.valueOf(certSelector) + "\n");
  661. /* finally, append miscellaneous parameters */
  662. if (certPathCheckers != null)
  663. sb.append(" Certification Path Checkers: ["
  664. + certPathCheckers.toString() + "]\n");
  665. if (certStores != null)
  666. sb.append(" CertStores: [" + certStores.toString() + "]\n");
  667. sb.append("]");
  668. return sb.toString();
  669. }
  670. }