diff options
Diffstat (limited to 'libraries/spongycastle/prov/src/main/jdk1.3/org/spongycastle/x509/ExtendedPKIXParameters.java')
-rw-r--r-- | libraries/spongycastle/prov/src/main/jdk1.3/org/spongycastle/x509/ExtendedPKIXParameters.java | 647 |
1 files changed, 647 insertions, 0 deletions
diff --git a/libraries/spongycastle/prov/src/main/jdk1.3/org/spongycastle/x509/ExtendedPKIXParameters.java b/libraries/spongycastle/prov/src/main/jdk1.3/org/spongycastle/x509/ExtendedPKIXParameters.java new file mode 100644 index 000000000..c2636c5b6 --- /dev/null +++ b/libraries/spongycastle/prov/src/main/jdk1.3/org/spongycastle/x509/ExtendedPKIXParameters.java @@ -0,0 +1,647 @@ +package org.spongycastle.x509; + +import org.spongycastle.util.Selector; +import org.spongycastle.util.Store; + +import java.security.InvalidAlgorithmParameterException; +import org.spongycastle.jce.cert.CertSelector; +import org.spongycastle.jce.cert.CertStore; +import org.spongycastle.jce.cert.CollectionCertStoreParameters; +import org.spongycastle.jce.cert.LDAPCertStoreParameters; +import org.spongycastle.jce.cert.PKIXParameters; +import org.spongycastle.jce.cert.TrustAnchor; +import org.spongycastle.jce.cert.X509CertSelector; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +/** + * This class extends the PKIXParameters with a validity model parameter. + */ +public class ExtendedPKIXParameters + extends PKIXParameters +{ + + private List stores; + + private Selector selector; + + private boolean additionalLocationsEnabled; + + private List additionalStores; + + private Set trustedACIssuers; + + private Set necessaryACAttributes; + + private Set prohibitedACAttributes; + + private Set attrCertCheckers; + + /** + * Creates an instance of <code>PKIXParameters</code> with the specified + * <code>Set</code> of most-trusted CAs. Each element of the set is a + * {@link TrustAnchor TrustAnchor}. <p/> Note that the <code>Set</code> + * is copied to protect against subsequent modifications. + * + * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s + * @throws InvalidAlgorithmParameterException if the specified + * <code>Set</code> is empty. + * @throws NullPointerException if the specified <code>Set</code> is + * <code>null</code> + * @throws ClassCastException if any of the elements in the <code>Set</code> + * is not of type <code>java.security.cert.TrustAnchor</code> + */ + public ExtendedPKIXParameters(Set trustAnchors) + throws InvalidAlgorithmParameterException + { + super(trustAnchors); + stores = new ArrayList(); + additionalStores = new ArrayList(); + trustedACIssuers = new HashSet(); + necessaryACAttributes = new HashSet(); + prohibitedACAttributes = new HashSet(); + attrCertCheckers = new HashSet(); + } + + /** + * Returns an instance with the parameters of a given + * <code>PKIXParameters</code> object. + * + * @param pkixParams The given <code>PKIXParameters</code> + * @return an extended PKIX params object + */ + public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams) + { + ExtendedPKIXParameters params; + try + { + params = new ExtendedPKIXParameters(pkixParams.getTrustAnchors()); + } + catch (Exception e) + { + // cannot happen + throw new RuntimeException(e.getMessage()); + } + params.setParams(pkixParams); + return params; + } + + /** + * Method to support <code>clone()</code> under J2ME. + * <code>super.clone()</code> does not exist and fields are not copied. + * + * @param params Parameters to set. If this are + * <code>ExtendedPKIXParameters</code> they are copied to. + */ + protected void setParams(PKIXParameters params) + { + setDate(params.getDate()); + setCertPathCheckers(params.getCertPathCheckers()); + setCertStores(params.getCertStores()); + setAnyPolicyInhibited(params.isAnyPolicyInhibited()); + setExplicitPolicyRequired(params.isExplicitPolicyRequired()); + setPolicyMappingInhibited(params.isPolicyMappingInhibited()); + setRevocationEnabled(params.isRevocationEnabled()); + setInitialPolicies(params.getInitialPolicies()); + setPolicyQualifiersRejected(params.getPolicyQualifiersRejected()); + setSigProvider(params.getSigProvider()); + setTargetCertConstraints(params.getTargetCertConstraints()); + try + { + setTrustAnchors(params.getTrustAnchors()); + } + catch (Exception e) + { + // cannot happen + throw new RuntimeException(e.getMessage()); + } + if (params instanceof ExtendedPKIXParameters) + { + ExtendedPKIXParameters _params = (ExtendedPKIXParameters) params; + validityModel = _params.validityModel; + useDeltas = _params.useDeltas; + additionalLocationsEnabled = _params.additionalLocationsEnabled; + selector = _params.selector == null ? null + : (Selector) _params.selector.clone(); + stores = new ArrayList(_params.stores); + additionalStores = new ArrayList(_params.additionalStores); + trustedACIssuers = new HashSet(_params.trustedACIssuers); + prohibitedACAttributes = new HashSet(_params.prohibitedACAttributes); + necessaryACAttributes = new HashSet(_params.necessaryACAttributes); + attrCertCheckers = new HashSet(_params.attrCertCheckers); + } + } + + /** + * This is the default PKIX validity model. Actually there are two variants + * of this: The PKIX model and the modified PKIX model. The PKIX model + * verifies that all involved certificates must have been valid at the + * current time. The modified PKIX model verifies that all involved + * certificates were valid at the signing time. Both are indirectly choosen + * with the {@link PKIXParameters#setDate(java.util.Date)} method, so this + * methods sets the Date when <em>all</em> certificates must have been + * valid. + */ + public static final int PKIX_VALIDITY_MODEL = 0; + + /** + * This model uses the following validity model. Each certificate must have + * been valid at the moment where is was used. That means the end + * certificate must have been valid at the time the signature was done. The + * CA certificate which signed the end certificate must have been valid, + * when the end certificate was signed. The CA (or Root CA) certificate must + * have been valid, when the CA certificate was signed and so on. So the + * {@link PKIXParameters#setDate(java.util.Date)} method sets the time, when + * the <em>end certificate</em> must have been valid. <p/> It is used e.g. + * in the German signature law. + */ + public static final int CHAIN_VALIDITY_MODEL = 1; + + private int validityModel = PKIX_VALIDITY_MODEL; + + private boolean useDeltas = false; + + /** + * Defaults to <code>false</code>. + * + * @return Returns if delta CRLs should be used. + */ + public boolean isUseDeltasEnabled() + { + return useDeltas; + } + + /** + * Sets if delta CRLs should be used for checking the revocation status. + * + * @param useDeltas <code>true</code> if delta CRLs should be used. + */ + public void setUseDeltasEnabled(boolean useDeltas) + { + this.useDeltas = useDeltas; + } + + /** + * @return Returns the validity model. + * @see #CHAIN_VALIDITY_MODEL + * @see #PKIX_VALIDITY_MODEL + */ + public int getValidityModel() + { + return validityModel; + } + + /** + * Sets the Java CertStore to this extended PKIX parameters. + * + * @throws ClassCastException if an element of <code>stores</code> is not + * a <code>CertStore</code>. + */ + public void setCertStores(List stores) + { + if (stores != null) + { + Iterator it = stores.iterator(); + while (it.hasNext()) + { + addCertStore((CertStore)it.next()); + } + } + } + + /** + * Sets the Bouncy Castle Stores for finding CRLs, certificates, attribute + * certificates or cross certificates. + * <p> + * The <code>List</code> is cloned. + * + * @param stores A list of stores to use. + * @see #getStores + * @throws ClassCastException if an element of <code>stores</code> is not + * a {@link Store}. + */ + public void setStores(List stores) + { + if (stores == null) + { + this.stores = new ArrayList(); + } + else + { + for (Iterator i = stores.iterator(); i.hasNext();) + { + if (!(i.next() instanceof Store)) + { + throw new ClassCastException( + "All elements of list must be " + + "of type org.spongycastle.util.Store."); + } + } + this.stores = new ArrayList(stores); + } + } + + /** + * Adds a Bouncy Castle {@link Store} to find CRLs, certificates, attribute + * certificates or cross certificates. + * <p> + * This method should be used to add local stores, like collection based + * X.509 stores, if available. Local stores should be considered first, + * before trying to use additional (remote) locations, because they do not + * need possible additional network traffic. + * <p> + * If <code>store</code> is <code>null</code> it is ignored. + * + * @param store The store to add. + * @see #getStores + */ + public void addStore(Store store) + { + if (stores != null) + { + stores.add(store); + } + } + + /** + * Adds a additional Bouncy Castle {@link Store} to find CRLs, certificates, + * attribute certificates or cross certificates. + * <p> + * You should not use this method. This method is used for adding additional + * X.509 stores, which are used to add (remote) locations, e.g. LDAP, found + * during X.509 object processing, e.g. in certificates or CRLs. This method + * is used in PKIX certification path processing. + * <p> + * If <code>store</code> is <code>null</code> it is ignored. + * + * @param store The store to add. + * @see #getStores() + */ + public void addAddionalStore(Store store) + { + if (store != null) + { + additionalStores.add(store); + } + } + + /** + * Returns an immutable <code>List</code> of additional Bouncy Castle + * <code>Store</code>s used for finding CRLs, certificates, attribute + * certificates or cross certificates. + * + * @return an immutable <code>List</code> of additional Bouncy Castle + * <code>Store</code>s. Never <code>null</code>. + * + * @see #addAddionalStore(Store) + */ + public List getAdditionalStores() + { + return Collections.unmodifiableList(additionalStores); + } + + /** + * Returns an immutable <code>List</code> of Bouncy Castle + * <code>Store</code>s used for finding CRLs, certificates, attribute + * certificates or cross certificates. + * + * @return an immutable <code>List</code> of Bouncy Castle + * <code>Store</code>s. Never <code>null</code>. + * + * @see #setStores(List) + */ + public List getStores() + { + return Collections.unmodifiableList(new ArrayList(stores)); + } + + /** + * @param validityModel The validity model to set. + * @see #CHAIN_VALIDITY_MODEL + * @see #PKIX_VALIDITY_MODEL + */ + public void setValidityModel(int validityModel) + { + this.validityModel = validityModel; + } + + public Object clone() + { + ExtendedPKIXParameters params; + try + { + params = new ExtendedPKIXParameters(getTrustAnchors()); + } + catch (Exception e) + { + // cannot happen + throw new RuntimeException(e.getMessage()); + } + params.setParams(this); + return params; + } + + /** + * Returns if additional {@link X509Store}s for locations like LDAP found + * in certificates or CRLs should be used. + * + * @return Returns <code>true</code> if additional stores are used. + */ + public boolean isAdditionalLocationsEnabled() + { + return additionalLocationsEnabled; + } + + /** + * Sets if additional {@link X509Store}s for locations like LDAP found in + * certificates or CRLs should be used. + * + * @param enabled <code>true</code> if additional stores are used. + */ + public void setAdditionalLocationsEnabled(boolean enabled) + { + additionalLocationsEnabled = enabled; + } + + /** + * Returns the required constraints on the target certificate or attribute + * certificate. The constraints are returned as an instance of + * <code>Selector</code>. If <code>null</code>, no constraints are + * defined. + * + * <p> + * The target certificate in a PKIX path may be a certificate or an + * attribute certificate. + * <p> + * Note that the <code>Selector</code> returned is cloned to protect + * against subsequent modifications. + * + * @return a <code>Selector</code> specifying the constraints on the + * target certificate or attribute certificate (or <code>null</code>) + * @see #setTargetConstraints + * @see X509CertStoreSelector + * @see X509AttributeCertStoreSelector + */ + public Selector getTargetConstraints() + { + if (selector != null) + { + return (Selector) selector.clone(); + } + else + { + return null; + } + } + + /** + * Sets the required constraints on the target certificate or attribute + * certificate. The constraints are specified as an instance of + * <code>Selector</code>. If <code>null</code>, no constraints are + * defined. + * <p> + * The target certificate in a PKIX path may be a certificate or an + * attribute certificate. + * <p> + * Note that the <code>Selector</code> specified is cloned to protect + * against subsequent modifications. + * + * @param selector a <code>Selector</code> specifying the constraints on + * the target certificate or attribute certificate (or + * <code>null</code>) + * @see #getTargetConstraints + * @see X509CertStoreSelector + * @see X509AttributeCertStoreSelector + */ + public void setTargetConstraints(Selector selector) + { + if (selector != null) + { + this.selector = (Selector) selector.clone(); + } + else + { + this.selector = null; + } + } + + /** + * Sets the required constraints on the target certificate. The constraints + * are specified as an instance of <code>X509CertSelector</code>. If + * <code>null</code>, no constraints are defined. + * + * <p> + * This method wraps the given <code>X509CertSelector</code> into a + * <code>X509CertStoreSelector</code>. + * <p> + * Note that the <code>X509CertSelector</code> specified is cloned to + * protect against subsequent modifications. + * + * @param selector a <code>X509CertSelector</code> specifying the + * constraints on the target certificate (or <code>null</code>) + * @see #getTargetCertConstraints + * @see X509CertStoreSelector + */ + public void setTargetCertConstraints(CertSelector selector) + { + super.setTargetCertConstraints(selector); + if (selector != null) + { + this.selector = X509CertStoreSelector + .getInstance((X509CertSelector) selector); + } + else + { + this.selector = null; + } + } + + /** + * Returns the trusted attribute certificate issuers. If attribute + * certificates is verified the trusted AC issuers must be set. + * <p> + * The returned <code>Set</code> consists of <code>TrustAnchor</code>s. + * <p> + * The returned <code>Set</code> is immutable. Never <code>null</code> + * + * @return Returns an immutable set of the trusted AC issuers. + */ + public Set getTrustedACIssuers() + { + return Collections.unmodifiableSet(trustedACIssuers); + } + + /** + * Sets the trusted attribute certificate issuers. If attribute certificates + * is verified the trusted AC issuers must be set. + * <p> + * The <code>trustedACIssuers</code> must be a <code>Set</code> of + * <code>TrustAnchor</code> + * <p> + * The given set is cloned. + * + * @param trustedACIssuers The trusted AC issuers to set. Is never + * <code>null</code>. + * @throws ClassCastException if an element of <code>stores</code> is not + * a <code>TrustAnchor</code>. + */ + public void setTrustedACIssuers(Set trustedACIssuers) + { + if (trustedACIssuers == null) + { + trustedACIssuers.clear(); + return; + } + for (Iterator it = trustedACIssuers.iterator(); it.hasNext();) + { + if (!(it.next() instanceof TrustAnchor)) + { + throw new ClassCastException("All elements of set must be " + + "of type " + TrustAnchor.class.getName() + "."); + } + } + this.trustedACIssuers.clear(); + this.trustedACIssuers.addAll(trustedACIssuers); + } + + /** + * Returns the neccessary attributes which must be contained in an attribute + * certificate. + * <p> + * The returned <code>Set</code> is immutable and contains + * <code>String</code>s with the OIDs. + * + * @return Returns the necessary AC attributes. + */ + public Set getNecessaryACAttributes() + { + return Collections.unmodifiableSet(necessaryACAttributes); + } + + /** + * Sets the neccessary which must be contained in an attribute certificate. + * <p> + * The <code>Set</code> must contain <code>String</code>s with the + * OIDs. + * <p> + * The set is cloned. + * + * @param necessaryACAttributes The necessary AC attributes to set. + * @throws ClassCastException if an element of + * <code>necessaryACAttributes</code> is not a + * <code>String</code>. + */ + public void setNecessaryACAttributes(Set necessaryACAttributes) + { + if (necessaryACAttributes == null) + { + this.necessaryACAttributes.clear(); + return; + } + for (Iterator it = necessaryACAttributes.iterator(); it.hasNext();) + { + if (!(it.next() instanceof String)) + { + throw new ClassCastException("All elements of set must be " + + "of type String."); + } + } + this.necessaryACAttributes.clear(); + this.necessaryACAttributes.addAll(necessaryACAttributes); + } + + /** + * Returns the attribute certificates which are not allowed. + * <p> + * The returned <code>Set</code> is immutable and contains + * <code>String</code>s with the OIDs. + * + * @return Returns the prohibited AC attributes. Is never <code>null</code>. + */ + public Set getProhibitedACAttributes() + { + return prohibitedACAttributes; + } + + /** + * Sets the attribute certificates which are not allowed. + * <p> + * The <code>Set</code> must contain <code>String</code>s with the + * OIDs. + * <p> + * The set is cloned. + * + * @param prohibitedACAttributes The prohibited AC attributes to set. + * @throws ClassCastException if an element of + * <code>prohibitedACAttributes</code> is not a + * <code>String</code>. + */ + public void setProhibitedACAttributes(Set prohibitedACAttributes) + { + if (prohibitedACAttributes == null) + { + this.prohibitedACAttributes.clear(); + return; + } + for (Iterator it = prohibitedACAttributes.iterator(); it.hasNext();) + { + if (!(it.next() instanceof String)) + { + throw new ClassCastException("All elements of set must be " + + "of type String."); + } + } + this.prohibitedACAttributes.clear(); + this.prohibitedACAttributes.addAll(prohibitedACAttributes); + } + + /** + * Returns the attribute certificate checker. The returned set contains + * {@link PKIXAttrCertChecker}s and is immutable. + * + * @return Returns the attribute certificate checker. Is never + * <code>null</code>. + */ + public Set getAttrCertCheckers() + { + return Collections.unmodifiableSet(attrCertCheckers); + } + + /** + * Sets the attribute certificate checkers. + * <p> + * All elements in the <code>Set</code> must a {@link PKIXAttrCertChecker}. + * <p> + * The given set is cloned. + * + * @param attrCertCheckers The attribute certificate checkers to set. Is + * never <code>null</code>. + * @throws ClassCastException if an element of <code>attrCertCheckers</code> + * is not a <code>PKIXAttrCertChecker</code>. + */ +/* + public void setAttrCertCheckers(Set attrCertCheckers) + { + if (attrCertCheckers == null) + { + this.attrCertCheckers.clear(); + return; + } + for (Iterator it = attrCertCheckers.iterator(); it.hasNext();) + { + if (!(it.next() instanceof PKIXAttrCertChecker)) + { + throw new ClassCastException("All elements of set must be " + + "of type " + PKIXAttrCertChecker.class.getName() + "."); + } + } + this.attrCertCheckers.clear(); + this.attrCertCheckers.addAll(attrCertCheckers); + } +*/ +} |