1 package org.bouncycastle.x509; 2 3 import java.security.InvalidAlgorithmParameterException; 4 import java.security.cert.CertSelector; 5 import java.security.cert.CertStore; 6 import java.security.cert.PKIXParameters; 7 import java.security.cert.TrustAnchor; 8 import java.security.cert.X509CertSelector; 9 import java.util.ArrayList; 10 import java.util.Collections; 11 import java.util.HashSet; 12 import java.util.Iterator; 13 import java.util.List; 14 import java.util.Set; 15 16 import org.bouncycastle.util.Selector; 17 import org.bouncycastle.util.Store; 18 19 /** 20 * This class extends the PKIXParameters with a validity model parameter. 21 * 22 * @deprecated use PKIXExtendedParameters 23 */ 24 public class ExtendedPKIXParameters 25 extends PKIXParameters 26 { 27 28 private List stores; 29 30 private Selector selector; 31 32 private boolean additionalLocationsEnabled; 33 34 private List additionalStores; 35 36 private Set trustedACIssuers; 37 38 private Set necessaryACAttributes; 39 40 private Set prohibitedACAttributes; 41 42 private Set attrCertCheckers; 43 44 /** 45 * Creates an instance of <code>PKIXParameters</code> with the specified 46 * <code>Set</code> of most-trusted CAs. Each element of the set is a 47 * {@link TrustAnchor TrustAnchor}. 48 * <p> 49 * Note that the <code>Set</code> 50 * is copied to protect against subsequent modifications. 51 * </p> 52 * 53 * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s 54 * @throws InvalidAlgorithmParameterException if the specified 55 * <code>Set</code> is empty. 56 * @throws NullPointerException if the specified <code>Set</code> is 57 * <code>null</code> 58 * @throws ClassCastException if any of the elements in the <code>Set</code> 59 * is not of type <code>java.security.cert.TrustAnchor</code> 60 */ ExtendedPKIXParameters(Set trustAnchors)61 public ExtendedPKIXParameters(Set trustAnchors) 62 throws InvalidAlgorithmParameterException 63 { 64 super(trustAnchors); 65 stores = new ArrayList(); 66 additionalStores = new ArrayList(); 67 trustedACIssuers = new HashSet(); 68 necessaryACAttributes = new HashSet(); 69 prohibitedACAttributes = new HashSet(); 70 attrCertCheckers = new HashSet(); 71 } 72 73 /** 74 * Returns an instance with the parameters of a given 75 * <code>PKIXParameters</code> object. 76 * 77 * @param pkixParams The given <code>PKIXParameters</code> 78 * @return an extended PKIX params object 79 */ getInstance(PKIXParameters pkixParams)80 public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams) 81 { 82 ExtendedPKIXParameters params; 83 try 84 { 85 params = new ExtendedPKIXParameters(pkixParams.getTrustAnchors()); 86 } 87 catch (Exception e) 88 { 89 // cannot happen 90 throw new RuntimeException(e.getMessage()); 91 } 92 params.setParams(pkixParams); 93 return params; 94 } 95 96 /** 97 * Method to support <code>clone()</code> under J2ME. 98 * <code>super.clone()</code> does not exist and fields are not copied. 99 * 100 * @param params Parameters to set. If this are 101 * <code>ExtendedPKIXParameters</code> they are copied to. 102 */ setParams(PKIXParameters params)103 protected void setParams(PKIXParameters params) 104 { 105 setDate(params.getDate()); 106 setCertPathCheckers(params.getCertPathCheckers()); 107 setCertStores(params.getCertStores()); 108 setAnyPolicyInhibited(params.isAnyPolicyInhibited()); 109 setExplicitPolicyRequired(params.isExplicitPolicyRequired()); 110 setPolicyMappingInhibited(params.isPolicyMappingInhibited()); 111 setRevocationEnabled(params.isRevocationEnabled()); 112 setInitialPolicies(params.getInitialPolicies()); 113 setPolicyQualifiersRejected(params.getPolicyQualifiersRejected()); 114 setSigProvider(params.getSigProvider()); 115 setTargetCertConstraints(params.getTargetCertConstraints()); 116 try 117 { 118 setTrustAnchors(params.getTrustAnchors()); 119 } 120 catch (Exception e) 121 { 122 // cannot happen 123 throw new RuntimeException(e.getMessage()); 124 } 125 if (params instanceof ExtendedPKIXParameters) 126 { 127 ExtendedPKIXParameters _params = (ExtendedPKIXParameters) params; 128 validityModel = _params.validityModel; 129 useDeltas = _params.useDeltas; 130 additionalLocationsEnabled = _params.additionalLocationsEnabled; 131 selector = _params.selector == null ? null 132 : (Selector) _params.selector.clone(); 133 stores = new ArrayList(_params.stores); 134 additionalStores = new ArrayList(_params.additionalStores); 135 trustedACIssuers = new HashSet(_params.trustedACIssuers); 136 prohibitedACAttributes = new HashSet(_params.prohibitedACAttributes); 137 necessaryACAttributes = new HashSet(_params.necessaryACAttributes); 138 attrCertCheckers = new HashSet(_params.attrCertCheckers); 139 } 140 } 141 142 /** 143 * This is the default PKIX validity model. Actually there are two variants 144 * of this: The PKIX model and the modified PKIX model. The PKIX model 145 * verifies that all involved certificates must have been valid at the 146 * current time. The modified PKIX model verifies that all involved 147 * certificates were valid at the signing time. Both are indirectly choosen 148 * with the {@link PKIXParameters#setDate(java.util.Date)} method, so this 149 * methods sets the Date when <em>all</em> certificates must have been 150 * valid. 151 */ 152 public static final int PKIX_VALIDITY_MODEL = 0; 153 154 /** 155 * This model uses the following validity model. Each certificate must have 156 * been valid at the moment where is was used. That means the end 157 * certificate must have been valid at the time the signature was done. The 158 * CA certificate which signed the end certificate must have been valid, 159 * when the end certificate was signed. The CA (or Root CA) certificate must 160 * have been valid, when the CA certificate was signed and so on. So the 161 * {@link PKIXParameters#setDate(java.util.Date)} method sets the time, when 162 * the <em>end certificate</em> must have been valid. 163 * <p> 164 * It is used e.g. 165 * in the German signature law. 166 * </p> 167 */ 168 public static final int CHAIN_VALIDITY_MODEL = 1; 169 170 private int validityModel = PKIX_VALIDITY_MODEL; 171 172 private boolean useDeltas = false; 173 174 /** 175 * Defaults to <code>false</code>. 176 * 177 * @return Returns if delta CRLs should be used. 178 */ isUseDeltasEnabled()179 public boolean isUseDeltasEnabled() 180 { 181 return useDeltas; 182 } 183 184 /** 185 * Sets if delta CRLs should be used for checking the revocation status. 186 * 187 * @param useDeltas <code>true</code> if delta CRLs should be used. 188 */ setUseDeltasEnabled(boolean useDeltas)189 public void setUseDeltasEnabled(boolean useDeltas) 190 { 191 this.useDeltas = useDeltas; 192 } 193 194 /** 195 * @return Returns the validity model. 196 * @see #CHAIN_VALIDITY_MODEL 197 * @see #PKIX_VALIDITY_MODEL 198 */ getValidityModel()199 public int getValidityModel() 200 { 201 return validityModel; 202 } 203 204 /** 205 * Sets the Java CertStore to this extended PKIX parameters. 206 * 207 * @throws ClassCastException if an element of <code>stores</code> is not 208 * a <code>CertStore</code>. 209 */ setCertStores(List stores)210 public void setCertStores(List stores) 211 { 212 if (stores != null) 213 { 214 Iterator it = stores.iterator(); 215 while (it.hasNext()) 216 { 217 addCertStore((CertStore)it.next()); 218 } 219 } 220 } 221 222 /** 223 * Sets the Bouncy Castle Stores for finding CRLs, certificates, attribute 224 * certificates or cross certificates. 225 * <p> 226 * The <code>List</code> is cloned. 227 * 228 * @param stores A list of stores to use. 229 * @see #getStores 230 * @throws ClassCastException if an element of <code>stores</code> is not 231 * a {@link Store}. 232 */ setStores(List stores)233 public void setStores(List stores) 234 { 235 if (stores == null) 236 { 237 this.stores = new ArrayList(); 238 } 239 else 240 { 241 for (Iterator i = stores.iterator(); i.hasNext();) 242 { 243 if (!(i.next() instanceof Store)) 244 { 245 throw new ClassCastException( 246 "All elements of list must be " 247 + "of type org.bouncycastle.util.Store."); 248 } 249 } 250 this.stores = new ArrayList(stores); 251 } 252 } 253 254 /** 255 * Adds a Bouncy Castle {@link Store} to find CRLs, certificates, attribute 256 * certificates or cross certificates. 257 * <p> 258 * This method should be used to add local stores, like collection based 259 * X.509 stores, if available. Local stores should be considered first, 260 * before trying to use additional (remote) locations, because they do not 261 * need possible additional network traffic. 262 * <p> 263 * If <code>store</code> is <code>null</code> it is ignored. 264 * 265 * @param store The store to add. 266 * @see #getStores 267 */ addStore(Store store)268 public void addStore(Store store) 269 { 270 if (store != null) 271 { 272 stores.add(store); 273 } 274 } 275 276 /** 277 * Adds an additional Bouncy Castle {@link Store} to find CRLs, certificates, 278 * attribute certificates or cross certificates. 279 * <p> 280 * You should not use this method. This method is used for adding additional 281 * X.509 stores, which are used to add (remote) locations, e.g. LDAP, found 282 * during X.509 object processing, e.g. in certificates or CRLs. This method 283 * is used in PKIX certification path processing. 284 * <p> 285 * If <code>store</code> is <code>null</code> it is ignored. 286 * 287 * @param store The store to add. 288 * @see #getStores() 289 * @deprecated use addStore(). 290 */ addAdditionalStore(Store store)291 public void addAdditionalStore(Store store) 292 { 293 if (store != null) 294 { 295 additionalStores.add(store); 296 } 297 } 298 299 /** 300 * @deprecated 301 */ addAddionalStore(Store store)302 public void addAddionalStore(Store store) 303 { 304 addAdditionalStore(store); 305 } 306 307 /** 308 * Returns an immutable <code>List</code> of additional Bouncy Castle 309 * <code>Store</code>s used for finding CRLs, certificates, attribute 310 * certificates or cross certificates. 311 * 312 * @return an immutable <code>List</code> of additional Bouncy Castle 313 * <code>Store</code>s. Never <code>null</code>. 314 * 315 * @see #addAdditionalStore(Store) 316 */ getAdditionalStores()317 public List getAdditionalStores() 318 { 319 return Collections.unmodifiableList(additionalStores); 320 } 321 322 /** 323 * Returns an immutable <code>List</code> of Bouncy Castle 324 * <code>Store</code>s used for finding CRLs, certificates, attribute 325 * certificates or cross certificates. 326 * 327 * @return an immutable <code>List</code> of Bouncy Castle 328 * <code>Store</code>s. Never <code>null</code>. 329 * 330 * @see #setStores(List) 331 */ getStores()332 public List getStores() 333 { 334 return Collections.unmodifiableList(new ArrayList(stores)); 335 } 336 337 /** 338 * @param validityModel The validity model to set. 339 * @see #CHAIN_VALIDITY_MODEL 340 * @see #PKIX_VALIDITY_MODEL 341 */ setValidityModel(int validityModel)342 public void setValidityModel(int validityModel) 343 { 344 this.validityModel = validityModel; 345 } 346 clone()347 public Object clone() 348 { 349 ExtendedPKIXParameters params; 350 try 351 { 352 params = new ExtendedPKIXParameters(getTrustAnchors()); 353 } 354 catch (Exception e) 355 { 356 // cannot happen 357 throw new RuntimeException(e.getMessage()); 358 } 359 params.setParams(this); 360 return params; 361 } 362 363 /** 364 * Returns if additional {@link X509Store}s for locations like LDAP found 365 * in certificates or CRLs should be used. 366 * 367 * @return Returns <code>true</code> if additional stores are used. 368 */ isAdditionalLocationsEnabled()369 public boolean isAdditionalLocationsEnabled() 370 { 371 return additionalLocationsEnabled; 372 } 373 374 /** 375 * Sets if additional {@link X509Store}s for locations like LDAP found in 376 * certificates or CRLs should be used. 377 * 378 * @param enabled <code>true</code> if additional stores are used. 379 */ setAdditionalLocationsEnabled(boolean enabled)380 public void setAdditionalLocationsEnabled(boolean enabled) 381 { 382 additionalLocationsEnabled = enabled; 383 } 384 385 /** 386 * Returns the required constraints on the target certificate or attribute 387 * certificate. The constraints are returned as an instance of 388 * <code>Selector</code>. If <code>null</code>, no constraints are 389 * defined. 390 * 391 * <p> 392 * The target certificate in a PKIX path may be a certificate or an 393 * attribute certificate. 394 * <p> 395 * Note that the <code>Selector</code> returned is cloned to protect 396 * against subsequent modifications. 397 * 398 * @return a <code>Selector</code> specifying the constraints on the 399 * target certificate or attribute certificate (or <code>null</code>) 400 * @see #setTargetConstraints 401 * @see X509CertStoreSelector 402 * @see X509AttributeCertStoreSelector 403 */ getTargetConstraints()404 public Selector getTargetConstraints() 405 { 406 if (selector != null) 407 { 408 return (Selector) selector.clone(); 409 } 410 else 411 { 412 return null; 413 } 414 } 415 416 /** 417 * Sets the required constraints on the target certificate or attribute 418 * certificate. The constraints are specified as an instance of 419 * <code>Selector</code>. If <code>null</code>, no constraints are 420 * defined. 421 * <p> 422 * The target certificate in a PKIX path may be a certificate or an 423 * attribute certificate. 424 * <p> 425 * Note that the <code>Selector</code> specified is cloned to protect 426 * against subsequent modifications. 427 * 428 * @param selector a <code>Selector</code> specifying the constraints on 429 * the target certificate or attribute certificate (or 430 * <code>null</code>) 431 * @see #getTargetConstraints 432 * @see X509CertStoreSelector 433 * @see X509AttributeCertStoreSelector 434 */ setTargetConstraints(Selector selector)435 public void setTargetConstraints(Selector selector) 436 { 437 if (selector != null) 438 { 439 this.selector = (Selector) selector.clone(); 440 } 441 else 442 { 443 this.selector = null; 444 } 445 } 446 447 /** 448 * Sets the required constraints on the target certificate. The constraints 449 * are specified as an instance of <code>X509CertSelector</code>. If 450 * <code>null</code>, no constraints are defined. 451 * 452 * <p> 453 * This method wraps the given <code>X509CertSelector</code> into a 454 * <code>X509CertStoreSelector</code>. 455 * <p> 456 * Note that the <code>X509CertSelector</code> specified is cloned to 457 * protect against subsequent modifications. 458 * 459 * @param selector a <code>X509CertSelector</code> specifying the 460 * constraints on the target certificate (or <code>null</code>) 461 * @see #getTargetCertConstraints 462 * @see X509CertStoreSelector 463 */ setTargetCertConstraints(CertSelector selector)464 public void setTargetCertConstraints(CertSelector selector) 465 { 466 super.setTargetCertConstraints(selector); 467 if (selector != null) 468 { 469 this.selector = X509CertStoreSelector 470 .getInstance((X509CertSelector) selector); 471 } 472 else 473 { 474 this.selector = null; 475 } 476 } 477 478 /** 479 * Returns the trusted attribute certificate issuers. If attribute 480 * certificates is verified the trusted AC issuers must be set. 481 * <p> 482 * The returned <code>Set</code> consists of <code>TrustAnchor</code>s. 483 * <p> 484 * The returned <code>Set</code> is immutable. Never <code>null</code> 485 * 486 * @return Returns an immutable set of the trusted AC issuers. 487 */ getTrustedACIssuers()488 public Set getTrustedACIssuers() 489 { 490 return Collections.unmodifiableSet(trustedACIssuers); 491 } 492 493 /** 494 * Sets the trusted attribute certificate issuers. If attribute certificates 495 * is verified the trusted AC issuers must be set. 496 * <p> 497 * The <code>trustedACIssuers</code> must be a <code>Set</code> of 498 * <code>TrustAnchor</code> 499 * <p> 500 * The given set is cloned. 501 * 502 * @param trustedACIssuers The trusted AC issuers to set. Is never 503 * <code>null</code>. 504 * @throws ClassCastException if an element of <code>stores</code> is not 505 * a <code>TrustAnchor</code>. 506 */ setTrustedACIssuers(Set trustedACIssuers)507 public void setTrustedACIssuers(Set trustedACIssuers) 508 { 509 if (trustedACIssuers == null) 510 { 511 this.trustedACIssuers.clear(); 512 return; 513 } 514 for (Iterator it = trustedACIssuers.iterator(); it.hasNext();) 515 { 516 if (!(it.next() instanceof TrustAnchor)) 517 { 518 throw new ClassCastException("All elements of set must be " 519 + "of type " + TrustAnchor.class.getName() + "."); 520 } 521 } 522 this.trustedACIssuers.clear(); 523 this.trustedACIssuers.addAll(trustedACIssuers); 524 } 525 526 /** 527 * Returns the neccessary attributes which must be contained in an attribute 528 * certificate. 529 * <p> 530 * The returned <code>Set</code> is immutable and contains 531 * <code>String</code>s with the OIDs. 532 * 533 * @return Returns the necessary AC attributes. 534 */ getNecessaryACAttributes()535 public Set getNecessaryACAttributes() 536 { 537 return Collections.unmodifiableSet(necessaryACAttributes); 538 } 539 540 /** 541 * Sets the neccessary which must be contained in an attribute certificate. 542 * <p> 543 * The <code>Set</code> must contain <code>String</code>s with the 544 * OIDs. 545 * <p> 546 * The set is cloned. 547 * 548 * @param necessaryACAttributes The necessary AC attributes to set. 549 * @throws ClassCastException if an element of 550 * <code>necessaryACAttributes</code> is not a 551 * <code>String</code>. 552 */ setNecessaryACAttributes(Set necessaryACAttributes)553 public void setNecessaryACAttributes(Set necessaryACAttributes) 554 { 555 if (necessaryACAttributes == null) 556 { 557 this.necessaryACAttributes.clear(); 558 return; 559 } 560 for (Iterator it = necessaryACAttributes.iterator(); it.hasNext();) 561 { 562 if (!(it.next() instanceof String)) 563 { 564 throw new ClassCastException("All elements of set must be " 565 + "of type String."); 566 } 567 } 568 this.necessaryACAttributes.clear(); 569 this.necessaryACAttributes.addAll(necessaryACAttributes); 570 } 571 572 /** 573 * Returns the attribute certificates which are not allowed. 574 * <p> 575 * The returned <code>Set</code> is immutable and contains 576 * <code>String</code>s with the OIDs. 577 * 578 * @return Returns the prohibited AC attributes. Is never <code>null</code>. 579 */ getProhibitedACAttributes()580 public Set getProhibitedACAttributes() 581 { 582 return Collections.unmodifiableSet(prohibitedACAttributes); 583 } 584 585 /** 586 * Sets the attribute certificates which are not allowed. 587 * <p> 588 * The <code>Set</code> must contain <code>String</code>s with the 589 * OIDs. 590 * <p> 591 * The set is cloned. 592 * 593 * @param prohibitedACAttributes The prohibited AC attributes to set. 594 * @throws ClassCastException if an element of 595 * <code>prohibitedACAttributes</code> is not a 596 * <code>String</code>. 597 */ setProhibitedACAttributes(Set prohibitedACAttributes)598 public void setProhibitedACAttributes(Set prohibitedACAttributes) 599 { 600 if (prohibitedACAttributes == null) 601 { 602 this.prohibitedACAttributes.clear(); 603 return; 604 } 605 for (Iterator it = prohibitedACAttributes.iterator(); it.hasNext();) 606 { 607 if (!(it.next() instanceof String)) 608 { 609 throw new ClassCastException("All elements of set must be " 610 + "of type String."); 611 } 612 } 613 this.prohibitedACAttributes.clear(); 614 this.prohibitedACAttributes.addAll(prohibitedACAttributes); 615 } 616 617 /** 618 * Returns the attribute certificate checker. The returned set contains 619 * {@link PKIXAttrCertChecker}s and is immutable. 620 * 621 * @return Returns the attribute certificate checker. Is never 622 * <code>null</code>. 623 */ getAttrCertCheckers()624 public Set getAttrCertCheckers() 625 { 626 return Collections.unmodifiableSet(attrCertCheckers); 627 } 628 629 /** 630 * Sets the attribute certificate checkers. 631 * <p> 632 * All elements in the <code>Set</code> must a {@link PKIXAttrCertChecker}. 633 * <p> 634 * The given set is cloned. 635 * 636 * @param attrCertCheckers The attribute certificate checkers to set. Is 637 * never <code>null</code>. 638 * @throws ClassCastException if an element of <code>attrCertCheckers</code> 639 * is not a <code>PKIXAttrCertChecker</code>. 640 */ setAttrCertCheckers(Set attrCertCheckers)641 public void setAttrCertCheckers(Set attrCertCheckers) 642 { 643 if (attrCertCheckers == null) 644 { 645 this.attrCertCheckers.clear(); 646 return; 647 } 648 for (Iterator it = attrCertCheckers.iterator(); it.hasNext();) 649 { 650 if (!(it.next() instanceof PKIXAttrCertChecker)) 651 { 652 throw new ClassCastException("All elements of set must be " 653 + "of type " + PKIXAttrCertChecker.class.getName() + "."); 654 } 655 } 656 this.attrCertCheckers.clear(); 657 this.attrCertCheckers.addAll(attrCertCheckers); 658 } 659 660 } 661