package org.bouncycastle.jcajce;
import java.security.cert.CertPathParameters;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.x509.GeneralName;
This class extends the PKIXParameters with a validity model parameter.
/**
* This class extends the PKIXParameters with a validity model parameter.
*/
public class PKIXExtendedParameters
implements CertPathParameters
{
This is the default PKIX validity model. Actually there are two variants of this: The PKIX model and the modified PKIX model. The PKIX model verifies that all involved certificates must have been valid at the current time. The modified PKIX model verifies that all involved certificates were valid at the signing time. Both are indirectly choosen with the PKIXParameters.setDate(Date)
method, so this methods sets the Date when all certificates must have been
valid.
/**
* This is the default PKIX validity model. Actually there are two variants
* of this: The PKIX model and the modified PKIX model. The PKIX model
* verifies that all involved certificates must have been valid at the
* current time. The modified PKIX model verifies that all involved
* certificates were valid at the signing time. Both are indirectly choosen
* with the {@link PKIXParameters#setDate(Date)} method, so this
* methods sets the Date when <em>all</em> certificates must have been
* valid.
*/
public static final int PKIX_VALIDITY_MODEL = 0;
This model uses the following validity model. Each certificate must have been valid at the moment where is was used. That means the end certificate must have been valid at the time the signature was done. The CA certificate which signed the end certificate must have been valid, when the end certificate was signed. The CA (or Root CA) certificate must have been valid, when the CA certificate was signed and so on. So the PKIXParameters.setDate(Date)
method sets the time, when the end certificate must have been valid. It is used e.g.
in the German signature law.
/**
* This model uses the following validity model. Each certificate must have
* been valid at the moment where is was used. That means the end
* certificate must have been valid at the time the signature was done. The
* CA certificate which signed the end certificate must have been valid,
* when the end certificate was signed. The CA (or Root CA) certificate must
* have been valid, when the CA certificate was signed and so on. So the
* {@link PKIXParameters#setDate(Date)} method sets the time, when
* the <em>end certificate</em> must have been valid. It is used e.g.
* in the German signature law.
*/
public static final int CHAIN_VALIDITY_MODEL = 1;
Builder for a PKIXExtendedParameters object.
/**
* Builder for a PKIXExtendedParameters object.
*/
public static class Builder
{
private final PKIXParameters baseParameters;
private final Date date;
private PKIXCertStoreSelector targetConstraints;
private List<PKIXCertStore> extraCertStores = new ArrayList<PKIXCertStore>();
private Map<GeneralName, PKIXCertStore> namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>();
private List<PKIXCRLStore> extraCRLStores = new ArrayList<PKIXCRLStore>();
private Map<GeneralName, PKIXCRLStore> namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>();
private boolean revocationEnabled;
private int validityModel = PKIX_VALIDITY_MODEL;
private boolean useDeltas = false;
private Set<TrustAnchor> trustAnchors;
public Builder(PKIXParameters baseParameters)
{
this.baseParameters = (PKIXParameters)baseParameters.clone();
CertSelector constraints = baseParameters.getTargetCertConstraints();
if (constraints != null)
{
this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build();
}
Date checkDate = baseParameters.getDate();
this.date = (checkDate == null) ? new Date() : checkDate;
this.revocationEnabled = baseParameters.isRevocationEnabled();
this.trustAnchors = baseParameters.getTrustAnchors();
}
public Builder(PKIXExtendedParameters baseParameters)
{
this.baseParameters = baseParameters.baseParameters;
this.date = baseParameters.date;
this.targetConstraints = baseParameters.targetConstraints;
this.extraCertStores = new ArrayList<PKIXCertStore>(baseParameters.extraCertStores);
this.namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(baseParameters.namedCertificateStoreMap);
this.extraCRLStores = new ArrayList<PKIXCRLStore>(baseParameters.extraCRLStores);
this.namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(baseParameters.namedCRLStoreMap);
this.useDeltas = baseParameters.useDeltas;
this.validityModel = baseParameters.validityModel;
this.revocationEnabled = baseParameters.isRevocationEnabled();
this.trustAnchors = baseParameters.getTrustAnchors();
}
public Builder addCertificateStore(PKIXCertStore store)
{
extraCertStores.add(store);
return this;
}
public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store)
{
namedCertificateStoreMap.put(issuerAltName, store);
return this;
}
public Builder addCRLStore(PKIXCRLStore store)
{
extraCRLStores.add(store);
return this;
}
public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store)
{
namedCRLStoreMap.put(issuerAltName, store);
return this;
}
public Builder setTargetConstraints(PKIXCertStoreSelector selector)
{
targetConstraints = selector;
return this;
}
Sets if delta CRLs should be used for checking the revocation status.
Params: - useDeltas –
true
if delta CRLs should be used.
/**
* Sets if delta CRLs should be used for checking the revocation status.
*
* @param useDeltas <code>true</code> if delta CRLs should be used.
*/
public Builder setUseDeltasEnabled(boolean useDeltas)
{
this.useDeltas = useDeltas;
return this;
}
Params: - validityModel – The validity model to set.
See Also:
/**
* @param validityModel The validity model to set.
* @see #CHAIN_VALIDITY_MODEL
* @see #PKIX_VALIDITY_MODEL
*/
public Builder setValidityModel(int validityModel)
{
this.validityModel = validityModel;
return this;
}
Set the trustAnchor to be used with these parameters.
Params: - trustAnchor – the trust anchor end-entity and CRLs must be based on.
Returns: the current builder.
/**
* Set the trustAnchor to be used with these parameters.
*
* @param trustAnchor the trust anchor end-entity and CRLs must be based on.
* @return the current builder.
*/
public Builder setTrustAnchor(TrustAnchor trustAnchor)
{
this.trustAnchors = Collections.singleton(trustAnchor);
return this;
}
Set the set of trustAnchors to be used with these parameters.
Params: - trustAnchors – a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on.
Returns: the current builder.
/**
* Set the set of trustAnchors to be used with these parameters.
*
* @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on.
* @return the current builder.
*/
public Builder setTrustAnchors(Set<TrustAnchor> trustAnchors)
{
this.trustAnchors = trustAnchors;
return this;
}
Flag whether or not revocation checking is to be enabled.
Params: - revocationEnabled – true if revocation checking to be enabled, false otherwise.
/**
* Flag whether or not revocation checking is to be enabled.
*
* @param revocationEnabled true if revocation checking to be enabled, false otherwise.
*/
public void setRevocationEnabled(boolean revocationEnabled)
{
this.revocationEnabled = revocationEnabled;
}
public PKIXExtendedParameters build()
{
return new PKIXExtendedParameters(this);
}
}
private final PKIXParameters baseParameters;
private final PKIXCertStoreSelector targetConstraints;
private final Date date;
private final List<PKIXCertStore> extraCertStores;
private final Map<GeneralName, PKIXCertStore> namedCertificateStoreMap;
private final List<PKIXCRLStore> extraCRLStores;
private final Map<GeneralName, PKIXCRLStore> namedCRLStoreMap;
private final boolean revocationEnabled;
private final boolean useDeltas;
private final int validityModel;
private final Set<TrustAnchor> trustAnchors;
private PKIXExtendedParameters(Builder builder)
{
this.baseParameters = builder.baseParameters;
this.date = builder.date;
this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores);
this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCertStore>(builder.namedCertificateStoreMap));
this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores);
this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCRLStore>(builder.namedCRLStoreMap));
this.targetConstraints = builder.targetConstraints;
this.revocationEnabled = builder.revocationEnabled;
this.useDeltas = builder.useDeltas;
this.validityModel = builder.validityModel;
this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors);
}
public List<PKIXCertStore> getCertificateStores()
{
return extraCertStores;
}
public Map<GeneralName, PKIXCertStore> getNamedCertificateStoreMap()
{
return namedCertificateStoreMap;
}
public List<PKIXCRLStore> getCRLStores()
{
return extraCRLStores;
}
public Map<GeneralName, PKIXCRLStore> getNamedCRLStoreMap()
{
return namedCRLStoreMap;
}
public Date getDate()
{
return new Date(date.getTime());
}
Defaults to false
.
Returns: Returns if delta CRLs should be used.
/**
* Defaults to <code>false</code>.
*
* @return Returns if delta CRLs should be used.
*/
public boolean isUseDeltasEnabled()
{
return useDeltas;
}
See Also: Returns: Returns the validity model.
/**
* @return Returns the validity model.
* @see #CHAIN_VALIDITY_MODEL
* @see #PKIX_VALIDITY_MODEL
*/
public int getValidityModel()
{
return validityModel;
}
public Object clone()
{
return this;
}
Returns the required constraints on the target certificate.
The constraints are returned as an instance of
Selector
. If null
, no constraints are
defined.
See Also: Returns: a Selector
specifying the constraints on the
target certificate or attribute certificate (or null
)
/**
* Returns the required constraints on the target certificate.
* The constraints are returned as an instance of
* <code>Selector</code>. If <code>null</code>, no constraints are
* defined.
*
* @return a <code>Selector</code> specifying the constraints on the
* target certificate or attribute certificate (or <code>null</code>)
* @see PKIXCertStoreSelector
*/
public PKIXCertStoreSelector getTargetConstraints()
{
return targetConstraints;
}
public Set getTrustAnchors()
{
return trustAnchors;
}
public Set getInitialPolicies()
{
return baseParameters.getInitialPolicies();
}
public String getSigProvider()
{
return baseParameters.getSigProvider();
}
public boolean isExplicitPolicyRequired()
{
return baseParameters.isExplicitPolicyRequired();
}
public boolean isAnyPolicyInhibited()
{
return baseParameters.isAnyPolicyInhibited();
}
public boolean isPolicyMappingInhibited()
{
return baseParameters.isPolicyMappingInhibited();
}
public List getCertPathCheckers()
{
return baseParameters.getCertPathCheckers();
}
public List<CertStore> getCertStores()
{
return baseParameters.getCertStores();
}
public boolean isRevocationEnabled()
{
return revocationEnabled;
}
public boolean getPolicyQualifiersRejected()
{
return baseParameters.getPolicyQualifiersRejected();
}
}