diff options
Diffstat (limited to 'prov/src/main/jdk1.3/org/bouncycastle/jce/cert/PKIXParameters.java')
| -rw-r--r-- | prov/src/main/jdk1.3/org/bouncycastle/jce/cert/PKIXParameters.java | 844 |
1 files changed, 0 insertions, 844 deletions
diff --git a/prov/src/main/jdk1.3/org/bouncycastle/jce/cert/PKIXParameters.java b/prov/src/main/jdk1.3/org/bouncycastle/jce/cert/PKIXParameters.java deleted file mode 100644 index 26c50db3..00000000 --- a/prov/src/main/jdk1.3/org/bouncycastle/jce/cert/PKIXParameters.java +++ /dev/null @@ -1,844 +0,0 @@ -package org.bouncycastle.jce.cert; - -import java.security.InvalidAlgorithmParameterException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Date; -import java.util.Enumeration; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Set; - -/** - * Parameters used as input for the PKIX CertPathValidator algorithm.<br /> - * <br /> - * A PKIX <code>CertPathValidator</code> uses these parameters to validate a - * <code>CertPath</code> according to the PKIX certification path validation - * algorithm.<br /> - * <br /> - * To instantiate a <code>PKIXParameters</code> object, an application must - * specify one or more <i>most-trusted CAs</i> as defined by the PKIX - * certification path validation algorithm. The most-trusted CAs can be - * specified using one of two constructors. An application can call - * {@link #PKIXParameters(Set)}, specifying a Set of <code>TrustAnchor</code> - * objects, each of which identify a most-trusted CA. Alternatively, an - * application can call {@link #PKIXParameters(KeyStore)}, specifying a - * <code>KeyStore</code> instance containing trusted certificate entries, each - * of which will be considered as a most-trusted CA.<br /> - * <br /> - * Once a <code>PKIXParameters</code> object has been created, other - * parameters can be specified (by calling {@link #setInitialPolicies} or - * {@link #setDate}, for instance) and then the <code>PKIXParameters</code> - * is passed along with the <code>CertPath</code> to be validated to - * {@link CertPathValidator#validate}.<br /> - * <br /> - * Any parameter that is not set (or is set to null) will be set to the default - * value for that parameter. The default value for the date parameter is null, - * which indicates the current time when the path is validated. The default for - * the remaining parameters is the least constrained.<br /> - * <br /> - * <b>Concurrent Access</b><br /> - * <br /> - * Unless otherwise specified, the methods defined in this class are not - * thread-safe. Multiple threads that need to access a single object - * concurrently should synchronize amongst themselves and provide the necessary - * locking. Multiple threads each manipulating separate objects need not - * synchronize. - * - * @see CertPathValidator - */ -public class PKIXParameters implements CertPathParameters -{ - private Set trustAnchors; - - private Set initialPolicies = new HashSet(); - - private List certStores = new ArrayList(); - - private CertSelector certSelector; - - private List certPathCheckers = new ArrayList(); - - private boolean revocationEnabled = true; - - private boolean explicitPolicyRequired = false; - - private boolean policyMappingInhibited = false; - - private boolean anyPolicyInhibited = false; - - private boolean policyQualifiersRejected = true; - - private Date date; - - private String sigProvider; - - /** - * Creates an instance of PKIXParameters with the specified Set of - * most-trusted CAs. Each element of the set is a TrustAnchor.<br /> - * <br /> - * Note that the Set is copied to protect against subsequent modifications. - * - * @param trustAnchors - * a Set of TrustAnchors - * - * @exception InvalidAlgorithmParameterException - * if the specified Set is empty - * <code>(trustAnchors.isEmpty() == true)</code> - * @exception NullPointerException - * if the specified Set is <code>null</code> - * @exception ClassCastException - * if any of the elements in the Set are not of type - * <code>java.security.cert.TrustAnchor</code> - */ - public PKIXParameters(Set trustAnchors) - throws InvalidAlgorithmParameterException - { - setTrustAnchors(trustAnchors); - } - - /** - * Creates an instance of PKIXParameters that populates the set of - * most-trusted CAs from the trusted certificate entries contained in the - * specified KeyStore. Only keystore entries that contain trusted - * X509Certificates are considered; all other certificate types are ignored. - * - * @param keystore - * a KeyStore from which the set of most-trusted CAs will be - * populated - * - * @exception KeyStoreException - * if the keystore has not been initialized - * @exception InvalidAlgorithmParameterException - * if the keystore does not contain at least one trusted - * certificate entry - * @exception NullPointerException - * if the keystore is null - */ - public PKIXParameters(KeyStore keystore) throws KeyStoreException, - InvalidAlgorithmParameterException - { - if (keystore == null) - { - throw new NullPointerException( - "the keystore parameter must be non-null"); - } - - Set trustAnchors = new HashSet(); - String alias; - Certificate cert; - Enumeration enum = keystore.aliases(); - while (enum.hasMoreElements()) - { - alias = (String)enum.nextElement(); - if (keystore.isCertificateEntry(alias)) - { - cert = keystore.getCertificate(alias); - if (cert instanceof X509Certificate) - { - trustAnchors.add(new TrustAnchor((X509Certificate)cert, - null)); - } - } - } - setTrustAnchors(trustAnchors); - } - - /** - * Returns an immutable Set of the most-trusted CAs. - * - * @return an immutable <code>Set</code> of <code>TrustAnchors</code> - * (never <code>null</code>) - * - * @see #setTrustAnchors - */ - public Set getTrustAnchors() - { - return Collections.unmodifiableSet(trustAnchors); - } - - /** - * Sets the Set of most-trusted CAs.<br /> - * <br /> - * Note that the Set is copied to protect against subsequent modifications.<br /> - * <br /> - * - * @param trustAnchors - * a Set of TrustAnchors - * - * @exception InvalidAlgorithmParameterException - * if the specified Set is empty - * <code>(trustAnchors.isEmpty() == true)</code> - * @exception NullPointerException - * if the specified Set is <code>null</code> - * @exception ClassCastException - * if any of the elements in the set are not of type - * java.security.cert.TrustAnchor - * - * @see #getTrustAnchors - */ - public void setTrustAnchors(Set trustAnchors) - throws InvalidAlgorithmParameterException - { - if (trustAnchors == null) - { - throw new NullPointerException( - "the trustAnchors parameter must be non-null"); - } - if (trustAnchors.isEmpty()) - { - throw new InvalidAlgorithmParameterException( - "the trustAnchors parameter must be non-empty"); - } - - Iterator iter = trustAnchors.iterator(); - TrustAnchor obj; - this.trustAnchors = new HashSet(); - while (iter.hasNext()) - { - obj = (TrustAnchor)iter.next(); - if (obj != null) - { - this.trustAnchors.add(obj); - } - } - } - - /** - * Returns an immutable Set of initial policy identifiers (OID strings), - * indicating that any one of these policies would be acceptable to the - * certificate user for the purposes of certification path processing. The - * default return value is an empty <code>Set</code>, which is - * interpreted as meaning that any policy would be acceptable. - * - * @return an immutable <code>Set</code> of initial policy OIDs in String - * format, or an empty <code>Set</code> (implying any policy is - * acceptable). Never returns <code>null</code>. - * - * @see #setInitialPolicies(java.util.Set) - */ - public Set getInitialPolicies() - { - Set returnSet = initialPolicies; - if (initialPolicies == null) - { - returnSet = new HashSet(); - } - - return Collections.unmodifiableSet(returnSet); - } - - /** - * Sets the <code>Set</code> of initial policy identifiers (OID strings), - * indicating that any one of these policies would be acceptable to the - * certificate user for the purposes of certification path processing. By - * default, any policy is acceptable (i.e. all policies), so a user that - * wants to allow any policy as acceptable does not need to call this - * method, or can call it with an empty <code>Set</code> (or - * <code>null</code>).<br /> - * <br /> - * Note that the Set is copied to protect against subsequent modifications.<br /> - * <br /> - * - * @param initialPolicies - * a Set of initial policy OIDs in String format (or - * <code>null</code>) - * - * @exception ClassCastException - * if any of the elements in the set are not of type String - * - * @see #getInitialPolicies() - */ - public void setInitialPolicies(Set initialPolicies) - { - if (initialPolicies == null || initialPolicies.isEmpty()) - { - this.initialPolicies = null; - } - else - { - Iterator iter = initialPolicies.iterator(); - this.initialPolicies = new HashSet(); - String obj; - while (iter.hasNext()) - { - obj = (String)iter.next(); - if (obj != null) - { - this.initialPolicies.add(obj); - } - } - } - } - - /** - * Sets the list of CertStores to be used in finding certificates and CRLs. - * May be null, in which case no CertStores will be used. The first - * CertStores in the list may be preferred to those that appear later.<br /> - * <br /> - * Note that the List is copied to protect against subsequent modifications.<br /> - * <br /> - * - * @param stores - * a List of CertStores (or <code>null</code>) - * - * @exception ClassCastException - * if any of the elements in the list are not of type - * <code>java.security.cert.CertStore</code> - * - * @see #getCertStores() - */ - public void setCertStores(List stores) - { - certStores = new ArrayList(); - if (stores != null && !stores.isEmpty()) - { - Iterator iter = stores.iterator(); - CertStore obj; - while (iter.hasNext()) - { - obj = (CertStore)iter.next(); - if (obj != null) - { - certStores.add(obj); - } - } - } - } - - /** - * Adds a CertStore to the end of the list of CertStores used in finding - * certificates and CRLs. - * - * @param store - * the <code>CertStore</code> to add. If - * <code>null</code<, the store is ignored (not added to - * list). - */ - public void addCertStore(CertStore store) - { - if (store != null) - { - certStores.add(store); - } - } - - /** - * Returns an immutable List of CertStores that are used to find - * certificates and CRLs. - * - * @return an immutable List of CertStores (may be empty, but never - * <code>null</code>) - * - * @see #setCertStores(java.util.List) - */ - public List getCertStores() - { - return Collections.unmodifiableList(certStores); - } - - /** - * Sets the RevocationEnabled flag. If this flag is true, the default - * revocation checking mechanism of the underlying PKIX service provider - * will be used. If this flag is false, the default revocation checking - * mechanism will be disabled (not used).<br /> - * <br /> - * When a <code>PKIXParameters</code> object is created, this flag is set - * to true. This setting reflects the most common strategy for checking - * revocation, since each service provider must support revocation checking - * to be PKIX compliant. Sophisticated applications should set this flag to - * false when it is not practical to use a PKIX service provider's default - * revocation checking mechanism or when an alternative revocation checking - * mechanism is to be substituted (by also calling the - * {@link #addCertPathChecker addCertPathChecker} or {@link - * #setCertPathCheckers setCertPathCheckers} methods). - * - * @param val - * the new value of the RevocationEnabled flag - */ - public void setRevocationEnabled(boolean val) - { - revocationEnabled = val; - } - - /** - * Checks the RevocationEnabled flag. If this flag is true, the default - * revocation checking mechanism of the underlying PKIX service provider - * will be used. If this flag is false, the default revocation checking - * mechanism will be disabled (not used). See the setRevocationEnabled - * method for more details on setting the value of this flag. - * - * @return the current value of the RevocationEnabled flag - */ - public boolean isRevocationEnabled() - { - return revocationEnabled; - } - - /** - * Sets the ExplicitPolicyRequired flag. If this flag is true, an acceptable - * policy needs to be explicitly identified in every certificate. By - * default, the ExplicitPolicyRequired flag is false. - * - * @param val - * true if explicit policy is to be required, false otherwise - */ - public void setExplicitPolicyRequired(boolean val) - { - explicitPolicyRequired = val; - } - - /** - * Checks if explicit policy is required. If this flag is true, an - * acceptable policy needs to be explicitly identified in every certificate. - * By default, the ExplicitPolicyRequired flag is false. - * - * @return true if explicit policy is required, false otherwise - */ - public boolean isExplicitPolicyRequired() - { - return explicitPolicyRequired; - } - - /** - * Sets the PolicyMappingInhibited flag. If this flag is true, policy - * mapping is inhibited. By default, policy mapping is not inhibited (the - * flag is false). - * - * @param val - * true if policy mapping is to be inhibited, false otherwise - */ - public void setPolicyMappingInhibited(boolean val) - { - policyMappingInhibited = val; - } - - /** - * Checks if policy mapping is inhibited. If this flag is true, policy - * mapping is inhibited. By default, policy mapping is not inhibited (the - * flag is false). - * - * @return true if policy mapping is inhibited, false otherwise - */ - public boolean isPolicyMappingInhibited() - { - return policyMappingInhibited; - } - - /** - * Sets state to determine if the any policy OID should be processed if it - * is included in a certificate. By default, the any policy OID is not - * inhibited ({@link #isAnyPolicyInhibited()} returns false). - * - * @return val - <code>true</code> if the any policy OID is to be - * inhibited, <code>false</code> otherwise - */ - public void setAnyPolicyInhibited(boolean val) - { - anyPolicyInhibited = val; - } - - /** - * Checks whether the any policy OID should be processed if it is included - * in a certificate. - * - * @return <code>true</code> if the any policy OID is inhibited, - * <code>false</code> otherwise - */ - public boolean isAnyPolicyInhibited() - { - return anyPolicyInhibited; - } - - /** - * Sets the PolicyQualifiersRejected flag. If this flag is true, - * certificates that include policy qualifiers in a certificate policies - * extension that is marked critical are rejected. If the flag is false, - * certificates are not rejected on this basis.<br /> - * <br /> - * When a <code>PKIXParameters</code> object is created, this flag is set - * to true. This setting reflects the most common (and simplest) strategy - * for processing policy qualifiers. Applications that want to use a more - * sophisticated policy must set this flag to false.<br /> - * <br /> - * Note that the PKIX certification path validation algorithm specifies that - * any policy qualifier in a certificate policies extension that is marked - * critical must be processed and validated. Otherwise the certification - * path must be rejected. If the policyQualifiersRejected flag is set to - * false, it is up to the application to validate all policy qualifiers in - * this manner in order to be PKIX compliant. - * - * @param qualifiersRejected - * the new value of the PolicyQualifiersRejected flag - * - * @see #getPolicyQualifiersRejected() - * @see PolicyQualifierInfo - */ - public void setPolicyQualifiersRejected(boolean qualifiersRejected) - { - policyQualifiersRejected = qualifiersRejected; - } - - /** - * Gets the PolicyQualifiersRejected flag. If this flag is true, - * certificates that include policy qualifiers in a certificate policies - * extension that is marked critical are rejected. If the flag is false, - * certificates are not rejected on this basis.<br /> - * <br /> - * When a PKIXParameters object is created, this flag is set to true. This - * setting reflects the most common (and simplest) strategy for processing - * policy qualifiers. Applications that want to use a more sophisticated - * policy must set this flag to false. - * - * @return the current value of the PolicyQualifiersRejected flag - * - * @see #setPolicyQualifiersRejected(boolean) - */ - public boolean getPolicyQualifiersRejected() - { - return policyQualifiersRejected; - } - - /** - * Returns the time for which the validity of the certification path should - * be determined. If null, the current time is used.<br /> - * <br /> - * Note that the Date returned is copied to protect against subsequent - * modifications. - * - * @return the Date, or <code>null</code> if not set - * - * @see #setDate(java.util.Date) - */ - public Date getDate() - { - if (date == null) - { - return null; - } - - return new Date(date.getTime()); - } - - /** - * Sets the time for which the validity of the certification path should be - * determined. If null, the current time is used.<br /> - * <br /> - * Note that the Date supplied here is copied to protect against subsequent - * modifications. - * - * @param date - * the Date, or <code>null</code> for the current time - * - * @see #getDate() - */ - public void setDate(Date date) - { - if (date == null) - { - this.date = null; - } - else - { - this.date = new Date(date.getTime()); - } - } - - /** - * Sets a <code>List</code> of additional certification path checkers. If - * the specified List contains an object that is not a PKIXCertPathChecker, - * it is ignored.<br /> - * <br /> - * Each <code>PKIXCertPathChecker</code> specified implements additional - * checks on a certificate. Typically, these are checks to process and - * verify private extensions contained in certificates. Each - * <code>PKIXCertPathChecker</code> should be instantiated with any - * initialization parameters needed to execute the check.<br /> - * <br /> - * This method allows sophisticated applications to extend a PKIX - * <code>CertPathValidator</code> or <code>CertPathBuilder</code>. Each - * of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX - * <code>CertPathValidator</code> or <code>CertPathBuilder</code> for - * each certificate processed or validated.<br /> - * <br /> - * Regardless of whether these additional PKIXCertPathCheckers are set, a - * PKIX <code>CertPathValidator</code> or <code>CertPathBuilder</code> - * must perform all of the required PKIX checks on each certificate. The one - * exception to this rule is if the RevocationEnabled flag is set to false - * (see the {@link #setRevocationEnabled(boolean) setRevocationEnabled} - * method).<br /> - * <br /> - * Note that the List supplied here is copied and each PKIXCertPathChecker - * in the list is cloned to protect against subsequent modifications. - * - * @param checkers - * a List of PKIXCertPathCheckers. May be null, in which case no - * additional checkers will be used. - * @exception ClassCastException - * if any of the elements in the list are not of type - * <code>java.security.cert.PKIXCertPathChecker</code> - * @see #getCertPathCheckers() - */ - public void setCertPathCheckers(List checkers) - { - certPathCheckers = new ArrayList(); - if (checkers == null) - { - return; - } - Iterator iter = checkers.iterator(); - while (iter.hasNext()) - { - certPathCheckers - .add((PKIXCertPathChecker)((PKIXCertPathChecker)iter.next()) - .clone()); - } - } - - /** - * Returns the List of certification path checkers. The returned List is - * immutable, and each PKIXCertPathChecker in the List is cloned to protect - * against subsequent modifications. - * - * @return an immutable List of PKIXCertPathCheckers (may be empty, but not - * <code>null</code>) - * - * @see #setCertPathCheckers(java.util.List) - */ - public List getCertPathCheckers() - { - List checkers = new ArrayList(); - Iterator iter = certPathCheckers.iterator(); - while (iter.hasNext()) - { - checkers - .add((PKIXCertPathChecker)((PKIXCertPathChecker)iter.next()) - .clone()); - } - return Collections.unmodifiableList(checkers); - } - - /** - * Adds a PKIXCertPathChecker to the list of certification path checkers. - * See the {@link #setCertPathCheckers} method for more details.<br /> - * <br /> - * Note that the <code>PKIXCertPathChecker</code> is cloned to protect - * against subsequent modifications. - * - * @param checker - * a <code>PKIXCertPathChecker</code> to add to the list of - * checks. If <code>null</code>, the checker is ignored (not - * added to list). - */ - public void addCertPathChecker(PKIXCertPathChecker checker) - { - if (checker != null) - { - certPathCheckers.add(checker.clone()); - } - } - - /** - * Returns the signature provider's name, or <code>null</code> if not set. - * - * @return the signature provider's name (or <code>null</code>) - * - * @see #setSigProvider(java.lang.String) - */ - public String getSigProvider() - { - return sigProvider; - } - - /** - * Sets the signature provider's name. The specified provider will be - * preferred when creating Signature objects. If null or not set, the first - * provider found supporting the algorithm will be used. - * - * @param sigProvider - * the signature provider's name (or <code>null</code>) - * - * @see #getSigProvider() - */ - public void setSigProvider(String sigProvider) - { - this.sigProvider = sigProvider; - } - - /** - * Returns the required constraints on the target certificate. The - * constraints are returned as an instance of CertSelector. If - * <code>null</code>, no constraints are defined.<br /> - * <br /> - * Note that the CertSelector returned is cloned to protect against - * subsequent modifications. - * - * @return a CertSelector specifying the constraints on the target - * certificate (or <code>null</code>) - * - * @see #setTargetCertConstraints(CertSelector) - */ - public CertSelector getTargetCertConstraints() - { - if (certSelector == null) - { - return null; - } - - return (CertSelector)certSelector.clone(); - } - - /** - * Sets the required constraints on the target certificate. The constraints - * are specified as an instance of CertSelector. If null, no constraints are - * defined.<br /> - * <br /> - * Note that the CertSelector specified is cloned to protect against - * subsequent modifications. - * - * @param selector - * a CertSelector specifying the constraints on the target - * certificate (or <code>null</code>) - * - * @see #getTargetCertConstraints() - */ - public void setTargetCertConstraints(CertSelector selector) - { - if (selector == null) - { - certSelector = null; - } - else - { - certSelector = (CertSelector)selector.clone(); - } - } - - /** - * Makes a copy of this PKIXParameters object. Changes to the copy will not - * affect the original and vice versa. - * - * @return a copy of this <code>PKIXParameters</code> object - */ - public Object clone() - { - try - { - PKIXParameters obj = (PKIXParameters)super.clone(); - obj.certStores = new ArrayList(certStores); - Iterator iter = certPathCheckers.iterator(); - obj.certPathCheckers = new ArrayList(); - while (iter.hasNext()) - { - obj.certPathCheckers.add(((PKIXCertPathChecker)iter.next()) - .clone()); - } - if (initialPolicies != null) - { - obj.initialPolicies = new HashSet(initialPolicies); - } - if (trustAnchors != null) - { - obj.trustAnchors = new HashSet(trustAnchors); - } - if (certSelector != null) - { - obj.certSelector = (CertSelector)certSelector.clone(); - } - return obj; - } - catch (CloneNotSupportedException ex) - { - throw new InternalError(); - } - } - - /** - * Returns a formatted string describing the parameters. - * - * @return a formatted string describing the parameters. - */ - public String toString() - { - StringBuffer s = new StringBuffer(); - s.append("[\n"); - if (trustAnchors != null) - { - s.append(" Trust Anchors: ").append(trustAnchors).append('\n'); - } - if (initialPolicies != null) - { - if (initialPolicies.isEmpty()) - { - s.append(" Initial Policy OIDs: any\n"); - } - else - { - s.append(" Initial Policy OIDs: [") - .append(initialPolicies).append("]\n"); - } - } - s.append(" Validity Date: "); - if (date != null) - { - s.append(date); - } - else - { - s.append("null"); - } - s.append('\n'); - - s.append(" Signature Provider: "); - if (sigProvider != null) - { - s.append(sigProvider); - } - else - { - s.append("null"); - } - s.append('\n'); - - s.append(" Default Revocation Enabled: "); - s.append(revocationEnabled); - s.append('\n'); - - s.append(" Explicit Policy Required: "); - s.append(explicitPolicyRequired); - s.append('\n'); - - s.append(" Policy Mapping Inhibited: "); - s.append(policyMappingInhibited); - s.append('\n'); - - s.append(" Any Policy Inhibited: "); - s.append(anyPolicyInhibited); - s.append('\n'); - - s.append(" Policy Qualifiers Rejected: "); - s.append(policyQualifiersRejected); - s.append('\n'); - - s.append(" Target Cert Constraints: "); - s.append(certSelector); - s.append('\n'); - - s.append(" Certification Path Checkers: ["); - s.append(certPathCheckers); - s.append("}\n"); - - s.append(" CertStores: ["); - s.append(certStores); - s.append("}\n"); - - s.append("]\n"); - - return s.toString(); - } -} |