001/* PKIXParameters.java -- parameters for the PKIX cert path algorithm
002   Copyright (C) 2003 Free Software Foundation, Inc.
003
004This file is part of GNU Classpath.
005
006GNU Classpath is free software; you can redistribute it and/or modify
007it under the terms of the GNU General Public License as published by
008the Free Software Foundation; either version 2, or (at your option)
009any later version.
010 
011GNU Classpath is distributed in the hope that it will be useful, but
012WITHOUT ANY WARRANTY; without even the implied warranty of
013MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
014General Public License for more details.
015
016You should have received a copy of the GNU General Public License
017along with GNU Classpath; see the file COPYING.  If not, write to the
018Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
01902110-1301 USA.
020
021Linking this library statically or dynamically with other modules is
022making a combined work based on this library.  Thus, the terms and
023conditions of the GNU General Public License cover the whole
024combination.
025
026As a special exception, the copyright holders of this library give you
027permission to link this library with independent modules to produce an
028executable, regardless of the license terms of these independent
029modules, and to copy and distribute the resulting executable under
030terms of your choice, provided that you also meet, for each linked
031independent module, the terms and conditions of the license of that
032module.  An independent module is a module which is not derived from
033or based on this library.  If you modify this library, you may extend
034this exception to your version of the library, but you are not
035obligated to do so.  If you do not wish to do so, delete this
036exception statement from your version. */
037
038
039package java.security.cert;
040
041import java.security.InvalidAlgorithmParameterException;
042import java.security.KeyStore;
043import java.security.KeyStoreException;
044
045import java.util.Collections;
046import java.util.Date;
047import java.util.Enumeration;
048import java.util.HashSet;
049import java.util.Iterator;
050import java.util.LinkedList;
051import java.util.List;
052import java.util.Set;
053
054/**
055 * Parameters for verifying certificate paths using the PKIX
056 * (Public-Key Infrastructure (X.509)) algorithm.
057 *
058 * @see CertPathBuilder
059 * @since 1.4
060 */
061public class PKIXParameters implements CertPathParameters
062{
063
064  // Fields.
065  // ------------------------------------------------------------------------
066
067  /** The trusted certificates. */
068  private final Set trustAnchors;
069
070  /** The set of initial policy identifiers. */
071  private final Set initPolicies;
072
073  /** The list of certificate stores. */
074  private final List certStores;
075
076  /** The list of path checkers. */
077  private final List pathCheckers;
078
079  /** The revocation enabled flag. */
080  private boolean revocationEnabled;
081
082  /** The explicit policy required flag. */
083  private boolean exPolicyRequired;
084
085  /** The policy mapping inhibited flag. */
086  private boolean policyMappingInhibited;
087
088  /** The any policy inhibited flag. */
089  private boolean anyPolicyInhibited;
090
091  /** The policy qualifiers rejected flag. */
092  private boolean policyQualRejected;
093
094  /** The target validation date. */
095  private Date date;
096
097  /** The signature algorithm provider. */
098  private String sigProvider;
099
100  /** The target constraints. */
101  private CertSelector targetConstraints;
102
103  // Constructors.
104  // ------------------------------------------------------------------------
105
106  /**
107   * Create a new PKIXParameters object, populating the trusted
108   * certificates set with all certificates found in the given key
109   * store. All certificates found in the key store are assumed to be
110   * trusted by this constructor.
111   *
112   * @param keystore The key store.
113   * @throws KeyStoreException If the certificates cannot be retrieved
114   *         from the key store.
115   * @throws InvalidAlgorithmParameterException If there are no
116   *         certificates in the key store.
117   * @throws NullPointerException If <i>keystore</i> is null.
118   */
119  public PKIXParameters(KeyStore keystore)
120    throws KeyStoreException, InvalidAlgorithmParameterException
121  {
122    this();
123    for (Enumeration e = keystore.aliases(); e.hasMoreElements(); )
124      {
125        String alias = (String) e.nextElement();
126        if (!keystore.isCertificateEntry(alias))
127          continue;
128        Certificate cert = keystore.getCertificate(alias);
129        if (cert instanceof X509Certificate)
130          trustAnchors.add(new TrustAnchor((X509Certificate) cert, null));
131      }
132    if (trustAnchors.isEmpty())
133      throw new InvalidAlgorithmParameterException("no certs in the key store");
134  }
135
136  /**
137   * Create a new PKIXParameters object, populating the trusted
138   * certificates set with the elements of the given set, each of which
139   * must be a {@link TrustAnchor}.
140   *
141   * @param trustAnchors The set of trust anchors.
142   * @throws InvalidAlgorithmParameterException If there are no
143   *         certificates in the set.
144   * @throws NullPointerException If <i>trustAnchors</i> is null.
145   * @throws ClassCastException If every element in <i>trustAnchors</i>
146   *         is not a {@link TrustAnchor}.
147   */
148  public PKIXParameters(Set<TrustAnchor> trustAnchors)
149    throws InvalidAlgorithmParameterException
150  {
151    this();
152    setTrustAnchors(trustAnchors);
153  }
154
155  /**
156   * Default constructor.
157   */
158  private PKIXParameters()
159  {
160    trustAnchors = new HashSet();
161    initPolicies = new HashSet();
162    certStores = new LinkedList();
163    pathCheckers = new LinkedList();
164    revocationEnabled = true;
165    exPolicyRequired = false;
166    policyMappingInhibited = false;
167    anyPolicyInhibited = false;
168    policyQualRejected = true;
169  }
170
171  /**
172   * Copying constructor for cloning.
173   *
174   * @param that The instance being cloned.
175   */
176  private PKIXParameters(PKIXParameters that)
177  {
178    this();
179    this.trustAnchors.addAll(that.trustAnchors);
180    this.initPolicies.addAll(that.initPolicies);
181    this.certStores.addAll(that.certStores);
182    this.pathCheckers.addAll(that.pathCheckers);
183    this.revocationEnabled = that.revocationEnabled;
184    this.exPolicyRequired = that.exPolicyRequired;
185    this.policyMappingInhibited = that.policyMappingInhibited;
186    this.anyPolicyInhibited = that.anyPolicyInhibited;
187    this.policyQualRejected = that.policyQualRejected;
188    this.date = that.date;
189    this.sigProvider = that.sigProvider;
190    this.targetConstraints = that.targetConstraints != null
191      ? (CertSelector) that.targetConstraints.clone() : null;
192  }
193
194  // Instance methods.
195  // ------------------------------------------------------------------------
196
197  /**
198   * Returns an immutable set of trust anchors. The set returned will
199   * never be null and will never be empty.
200   *
201   * @return A (never null, never empty) immutable set of trust anchors.
202   */
203  public Set<TrustAnchor> getTrustAnchors()
204  {
205    return Collections.unmodifiableSet(trustAnchors);
206  }
207
208  /**
209   * Sets the trust anchors of this class, replacing the current trust
210   * anchors with those in the given set. The supplied set is copied to
211   * prevent modification.
212   *
213   * @param trustAnchors The new set of trust anchors.
214   * @throws InvalidAlgorithmParameterException If there are no
215   *         certificates in the set.
216   * @throws NullPointerException If <i>trustAnchors</i> is null.
217   * @throws ClassCastException If every element in <i>trustAnchors</i>
218   *         is not a {@link TrustAnchor}.
219   */
220  public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
221    throws InvalidAlgorithmParameterException
222  {
223    if (trustAnchors.isEmpty())
224      throw new InvalidAlgorithmParameterException("no trust anchors");
225    this.trustAnchors.clear();
226    for (Iterator i = trustAnchors.iterator(); i.hasNext(); )
227      {
228        this.trustAnchors.add((TrustAnchor) i.next());
229      }
230  }
231
232  /**
233   * Returns the set of initial policy identifiers (as OID strings). If
234   * any policy is accepted, this method returns the empty set.
235   *
236   * @return An immutable set of initial policy OID strings, or the
237   *         empty set if any policy is acceptable.
238   */
239  public Set<String> getInitialPolicies()
240  {
241    return Collections.unmodifiableSet(initPolicies);
242  }
243
244  /**
245   * Sets the initial policy identifiers (as OID strings). If the
246   * argument is null or the empty set, then any policy identifier will
247   * be accepted.
248   *
249   * @param initPolicies The new set of policy strings, or null.
250   * @throws ClassCastException If any element in <i>initPolicies</i> is
251   *         not a string.
252   */
253  public void setInitialPolicies(Set<String> initPolicies)
254  {
255    this.initPolicies.clear();
256    if (initPolicies == null)
257      return;
258    for (Iterator i = initPolicies.iterator(); i.hasNext(); )
259      {
260        this.initPolicies.add((String) i.next());
261      }
262  }
263
264  /**
265   * Add a {@link CertStore} to the list of cert stores.
266   *
267   * @param store The CertStore to add.
268   */
269  public void addCertStore(CertStore store)
270  {
271    if (store != null)
272      certStores.add(store);
273  }
274
275  /**
276   * Returns an immutable list of cert stores. This method never returns
277   * null.
278   *
279   * @return The list of cert stores.
280   */
281  public List<CertStore> getCertStores()
282  {
283    return Collections.unmodifiableList(certStores);
284  }
285
286  /**
287   * Set the cert stores. If the argument is null the list of cert
288   * stores will be empty.
289   *
290   * @param certStores The cert stores.
291   */
292  public void setCertStores(List<CertStore> certStores)
293  {
294    this.certStores.clear();
295    if (certStores == null)
296      return;
297    for (Iterator i = certStores.iterator(); i.hasNext(); )
298      {
299        this.certStores.add((CertStore) i.next());
300      }
301  }
302
303  /**
304   * Returns the value of the <i>revocation enabled</i> flag. The default
305   * value for this flag is <code>true</code>.
306   *
307   * @return The <i>revocation enabled</i> flag.
308   */
309  public boolean isRevocationEnabled()
310  {
311    return revocationEnabled;
312  }
313
314  /**
315   * Sets the value of the <i>revocation enabled</i> flag.
316   *
317   * @param value The new value.
318   */
319  public void setRevocationEnabled(boolean value)
320  {
321    revocationEnabled = value;
322  }
323
324  /**
325   * Returns the value of the <i>explicit policy required</i> flag. The
326   * default value of this flag is <code>false</code>.
327   *
328   * @return The <i>explicit policy required</i> flag.
329   */
330  public boolean isExplicitPolicyRequired()
331  {
332    return exPolicyRequired;
333  }
334
335  /**
336   * Sets the value of the <i>explicit policy required</i> flag.
337   *
338   * @param value The new value.
339   */
340  public void setExplicitPolicyRequired(boolean value)
341  {
342    exPolicyRequired = value;
343  }
344
345  /**
346   * Returns the value of the <i>policy mapping inhibited</i> flag. The
347   * default value of this flag is <code>false</code>.
348   *
349   * @return The <i>policy mapping inhibited</i> flag.
350   */
351  public boolean isPolicyMappingInhibited()
352  {
353    return policyMappingInhibited;
354  }
355
356  /**
357   * Sets the value of the <i>policy mapping inhibited</i> flag.
358   *
359   * @param value The new value.
360   */
361  public void setPolicyMappingInhibited(boolean value)
362  {
363    policyMappingInhibited = value;
364  }
365
366  /**
367   * Returns the value of the <i>any policy inhibited</i> flag. The
368   * default value of this flag is <code>false</code>.
369   *
370   * @return The <i>any policy inhibited</i> flag.
371   */
372  public boolean isAnyPolicyInhibited()
373  {
374    return anyPolicyInhibited;
375  }
376
377  /**
378   * Sets the value of the <i>any policy inhibited</i> flag.
379   *
380   * @param value The new value.
381   */
382  public void setAnyPolicyInhibited(boolean value)
383  {
384    anyPolicyInhibited = value;
385  }
386
387  /**
388   * Returns the value of the <i>policy qualifiers enabled</i> flag. The
389   * default value of this flag is <code>true</code>.
390   *
391   * @return The <i>policy qualifiers enabled</i> flag.
392   */
393  public boolean getPolicyQualifiersRejected()
394  {
395    return policyQualRejected;
396  }
397
398  /**
399   * Sets the value of the <i>policy qualifiers enabled</i> flag.
400   *
401   * @param value The new value.
402   */
403  public void setPolicyQualifiersRejected(boolean value)
404  {
405    policyQualRejected = value;
406  }
407
408  /**
409   * Returns the date for which the certificate path should be
410   * validated, or null if the current time should be used. The date
411   * object is copied to prevent subsequent modification.
412   *
413   * @return The date, or null if not set.
414   */
415  public Date getDate()
416  {
417    return date != null ? (Date) date.clone() : null;
418  }
419
420  /**
421   * Sets the date for which the certificate path should be validated,
422   * or null if the current time should be used.
423   *
424   * @param date The new date, or null.
425   */
426  public void setDate(Date date)
427  {
428    if (date != null)
429      this.date = (Date) date.clone();
430    else
431      this.date = null;
432  }
433
434  /**
435   * Add a certificate path checker.
436   *
437   * @param checker The certificate path checker to add.
438   */
439  public void addCertPathChecker(PKIXCertPathChecker checker)
440  {
441    if (checker != null)
442      pathCheckers.add(checker);
443  }
444
445  /**
446   * Returns an immutable list of all certificate path checkers.
447   *
448   * @return An immutable list of all certificate path checkers.
449   */
450  public List<PKIXCertPathChecker> getCertPathCheckers()
451  {
452    return Collections.unmodifiableList(pathCheckers);
453  }
454
455  /**
456   * Sets the certificate path checkers. If the argument is null, the
457   * list of checkers will merely be cleared.
458   *
459   * @param pathCheckers The new list of certificate path checkers.
460   * @throws ClassCastException If any element of <i>pathCheckers</i> is
461   *         not a {@link PKIXCertPathChecker}.
462   */
463  public void setCertPathCheckers(List<PKIXCertPathChecker> pathCheckers)
464  {
465    this.pathCheckers.clear();
466    if (pathCheckers == null)
467      return;
468    for (Iterator i = pathCheckers.iterator(); i.hasNext(); )
469      {
470        this.pathCheckers.add((PKIXCertPathChecker) i.next());
471      }
472  }
473
474  /**
475   * Returns the signature algorithm provider, or null if not set.
476   *
477   * @return The signature algorithm provider, or null if not set.
478   */
479  public String getSigProvider()
480  {
481    return sigProvider;
482  }
483
484  /**
485   * Sets the signature algorithm provider, or null if there is no
486   * preferred provider.
487   *
488   * @param sigProvider The signature provider name.
489   */
490  public void setSigProvider(String sigProvider)
491  {
492    this.sigProvider = sigProvider;
493  }
494
495  /**
496   * Returns the constraints placed on the target certificate, or null
497   * if there are none. The target constraints are copied to prevent
498   * subsequent modification.
499   *
500   * @return The target constraints, or null.
501   */
502  public CertSelector getTargetCertConstraints()
503  {
504    return targetConstraints != null
505      ? (CertSelector) targetConstraints.clone() : null;
506  }
507
508  /**
509   * Sets the constraints placed on the target certificate.
510   *
511   * @param targetConstraints The target constraints.
512   */
513  public void setTargetCertConstraints(CertSelector targetConstraints)
514  {
515    this.targetConstraints = targetConstraints != null
516      ? (CertSelector) targetConstraints.clone() : null;
517  }
518
519  /**
520   * Returns a copy of these parameters.
521   *
522   * @return The copy.
523   */
524  public Object clone()
525  {
526    return new PKIXParameters(this);
527  }
528
529  /**
530   * Returns a printable representation of these parameters.
531   *
532   * @return A printable representation of these parameters.
533   */
534  public String toString() {
535    return "[ Trust Anchors: " + trustAnchors + "; Initial Policy OIDs="
536      + (initPolicies != null ? initPolicies.toString() : "any")
537      + "; Validity Date=" + date + "; Signature Provider="
538      + sigProvider + "; Default Revocation Enabled=" + revocationEnabled
539      + "; Explicit Policy Required=" + exPolicyRequired
540      + "; Policy Mapping Inhibited=" + policyMappingInhibited
541      + "; Any Policy Inhibited=" + anyPolicyInhibited
542      + "; Policy Qualifiers Rejected=" + policyQualRejected
543      + "; Target Cert Contstraints=" + targetConstraints
544      + "; Certification Path Checkers=" + pathCheckers
545      + "; CertStores=" + certStores + " ]";
546  }
547}